This is really a non-issue. The intent of the MD5 in the Portfile is easily identify when a source archive was corrupted during download, or when a 404 file was obtained instead of a source archive. It's not about security, it's about providing a checksum for data -- and to that effect MD5 will always be preferable to CRC32.
Few projects are distributed with signatures, and even if they were I doubt anyone really audits the code they compile and execute. If you're really concerned about security, you need to invest in a whole lot more infrastructure and process than simply changing digest algorithms. - Kevin On Feb 16, 2008, at 12:11 AM, William Allen Simpson wrote: > On Feb 16, 2008 2:57 AM, Ryan Schmidt <[EMAIL PROTECTED]> wrote: >> On Feb 16, 2008, at 01:49, William Allen Simpson wrote: >>> As long as we ONLY use hashes generated by the distfile author, >>> located on the distfile site, and NEVER generate our own, we'll be >>> fine. >> >> But we don't do that. At least, I'm constantly generating my own >> checksums for my portfiles. The developers of most of my ports do not >> provide checksums. >> > Trust is not transitive. > > If you download a file, and generate your own hash, that really > defeats > the whole purpose of tarball verification. Then, it doesn't matter > what > checksum is used, or its cryptographic strength, as you have no way of > indicating who generated that hash. _______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev