[68957] trunk/base/ChangeLog
Eric Hall
opendarwin.org at darkart.com
Wed Jun 23 17:21:49 PDT 2010
On Wed, Jun 23, 2010 at 07:15:47PM -0500, Ryan Schmidt wrote:
[snip]
> For another, I'm unsure we really need sha256 checksums in there. It's already complete overkill that we're putting three different checksums; using four verges on crazy. The only reason we put more than one checksum at all is to prevent a vulnerability in any single checksum algorithm from compromising MacPorts' integrity, but this possibility itself is already so extremely remote as to be of virtually no interest at all. Really the only purpose the checksums need to serve is to ensure the distfile the user downloaded is the same one the port maintainer tested with.
>
From what basis do you make the claim:
...prevent a vulnerability in any single checksum algorithm from
compromising MacPorts' integrity, but this possibility itself is
already so extremely remote...
Did you find a study on this, or do some research?
FWIW, I tend to agree that adding a fourth checksum is a bit overkill. It might
be worth upgrading one of the older checksums (md5, sha1) to sha256 though.
-eric
More information about the macports-dev
mailing list