Let's avoid using md5 as checksum
Kevin Van Vechten
kvv at apple.com
Sat Feb 16 01:20:45 PST 2008
This is really a non-issue. The intent of the MD5 in the Portfile is
easily identify when a source archive was corrupted during download,
or when a 404 file was obtained instead of a source archive. It's not
about security, it's about providing a checksum for data -- and to
that effect MD5 will always be preferable to CRC32.
Few projects are distributed with signatures, and even if they were I
doubt anyone really audits the code they compile and execute. If
you're really concerned about security, you need to invest in a whole
lot more infrastructure and process than simply changing digest
algorithms.
- Kevin
On Feb 16, 2008, at 12:11 AM, William Allen Simpson wrote:
> On Feb 16, 2008 2:57 AM, Ryan Schmidt <ryandesign at macports.org> wrote:
>> On Feb 16, 2008, at 01:49, William Allen Simpson wrote:
>>> As long as we ONLY use hashes generated by the distfile author,
>>> located on the distfile site, and NEVER generate our own, we'll be
>>> fine.
>>
>> But we don't do that. At least, I'm constantly generating my own
>> checksums for my portfiles. The developers of most of my ports do not
>> provide checksums.
>>
> Trust is not transitive.
>
> If you download a file, and generate your own hash, that really
> defeats
> the whole purpose of tarball verification. Then, it doesn't matter
> what
> checksum is used, or its cryptographic strength, as you have no way of
> indicating who generated that hash.
More information about the macports-dev
mailing list