This is really a non-issue. The intent of the MD5 in the Portfile is easily identify when a source archive was corrupted during download, or when a 404 file was obtained instead of a source archive. It's not about security, it's about providing a checksum for data -- and to that effect MD5 will always be preferable to CRC32. Few projects are distributed with signatures, and even if they were I doubt anyone really audits the code they compile and execute. If you're really concerned about security, you need to invest in a whole lot more infrastructure and process than simply changing digest algorithms. - Kevin On Feb 16, 2008, at 12:11 AM, William Allen Simpson wrote:
On Feb 16, 2008 2:57 AM, Ryan Schmidt <ryandesign@macports.org> wrote:
On Feb 16, 2008, at 01:49, William Allen Simpson wrote:
As long as we ONLY use hashes generated by the distfile author, located on the distfile site, and NEVER generate our own, we'll be fine.
But we don't do that. At least, I'm constantly generating my own checksums for my portfiles. The developers of most of my ports do not provide checksums.
Trust is not transitive.
If you download a file, and generate your own hash, that really defeats the whole purpose of tarball verification. Then, it doesn't matter what checksum is used, or its cryptographic strength, as you have no way of indicating who generated that hash.