On Feb 15, 2008, at 23:29, js wrote: >> You might say we should therefore use sha1 or rmd160 instead. But >> what if a similar problem is discovered in sha1 or rmd160? > > MD5 already has one, others are not. > >> Even if flaws exist in all three checksum algorithms that enable >> differing files to have the same checksum, it is virtually impossible >> for such a flaw to affect more than one checksum algorithm at a time. >> That is, take two different files A and B which have been constructed >> so that their md5 sums are the same. I will eat my hat if they also >> have the same sha1 sums or the same rmd160 sums. >> >> Therefore, use more than one checksum and the weakness of any >> individual algorithm becomes unimportant. > > That's make sense. > Anyway, the thing is, not dropping MD5 as a checksum but encourage > ports author to write more secure Portfile. > For this porpose, I like your idea that warns portfile author when > checksum is not secure enough.
Of course, this won't make Rainer happy. :-) http://trac.macosforge.org/projects/macports/browser/trunk/dports/ editors/vim/files/patchlist?rev=34037 Look at all them pretty md5s... _______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev