Jordan K. Hubbard wrote:
Given all the other unfinished or unstarted work in MacPorts which
needs to happen just to get the collection halfway reliable, it seems
to me that arguing over the safety of a commonly used checksum is
little more than a distraction and represents time that could be
This is really a non-issue. The intent of the MD5 in the Portfile is
easily identify when a source archive was corrupted during download,
or when a 404 file was obtained instead of a source archive. It's not
about security, it's about providing a checksum for data -- and to
that effect
Hi,
I'm the upstream maintainer of tuxmath, and I also want to add it to MacPorts
and become the port maintainer for it. So, regarding checksums, I take it
that it would be best (from the point of view of MacPorts, and probably
anyone else who cares to verify that they are getting unaltered
Ryan Schmidt wrote:
Of course, this won't make Rainer happy. :-)
http://trac.macosforge.org/projects/macports/browser/trunk/dports/
editors/vim/files/patchlist?rev=34037
Look at all them pretty md5s...
These md5s are released upstream [1] and I just use them. Of course I
now could also
On Feb 16, 2008, at 05:41, David Bruce wrote:
I'm the upstream maintainer of tuxmath, and I also want to add it
to MacPorts
and become the port maintainer for it. So, regarding checksums, I
take it
that it would be best (from the point of view of MacPorts, and
probably
anyone else
Ryan Schmidt wrote:
Rainer has commented on your ticket so once you review those changes
I imagine he'll commit it.
Yes, that was my intention :-)
I saw your earlier message but did not have time to deal with it.
Sometimes we're just short on time and tickets get forgotten.
That's often
Hi,
As you know, MD5 has serious flaws (http://en.wikipedia.org/wiki/MD5)
So recently I don't use it and even remove it when I found it in the
checksum part of portfile.
I thought dropping use of md5 in portfile would be nice.
Any thought?
___
On Feb 15, 2008, at 21:16, js wrote:
As you know, MD5 has serious flaws (http://en.wikipedia.org/wiki/MD5)
So recently I don't use it and even remove it when I found it in the
checksum part of portfile.
I thought dropping use of md5 in portfile would be nice.
Any thought?
Disagree. Three
js wrote:
As you know, MD5 has serious flaws (http://en.wikipedia.org/wiki/MD5)
So recently I don't use it and even remove it when I found it in the
checksum part of portfile.
I thought dropping use of md5 in portfile would be nice.
Any thought?
I don't think these flaws are strong enough
On Sat, Feb 16, 2008 at 04:36:12AM +0100, Rainer M?ller wrote:
js wrote:
As you know, MD5 has serious flaws (http://en.wikipedia.org/wiki/MD5)
So recently I don't use it and even remove it when I found it in the
checksum part of portfile.
I thought dropping use of md5 in portfile would
Disagree. Three types of checksums (md5, sha1, rmd160) in a portfile
are stronger than just two.
I would agree that ports should not use md5 alone, but I would also
say that ports should not use sha1 or rmd160 alone. Ports should use
all three checksum types.
When we have sha1 and rmd160
On Feb 15, 2008, at 22:14, js wrote:
Disagree. Three types of checksums (md5, sha1, rmd160) in a portfile
are stronger than just two.
I would agree that ports should not use md5 alone, but I would also
say that ports should not use sha1 or rmd160 alone. Ports should use
all three checksum
Given all the other unfinished or unstarted work in MacPorts which
needs to happen just to get the collection halfway reliable, it seems
to me that arguing over the safety of a commonly used checksum is
little more than a distraction and represents time that could be
devoted to more
On Feb 15, 2008, at 23:29, js wrote:
You might say we should therefore use sha1 or rmd160 instead. But
what if a similar problem is discovered in sha1 or rmd160?
MD5 already has one, others are not.
Even if flaws exist in all three checksum algorithms that enable
differing files to have
NP, author has free to ignore the warning message ;)
On Feb 16, 2008 2:36 PM, Ryan Schmidt [EMAIL PROTECTED] wrote:
On Feb 15, 2008, at 23:29, js wrote:
You might say we should therefore use sha1 or rmd160 instead. But
what if a similar problem is discovered in sha1 or rmd160?
MD5
On 2/15/08, Eric Hall [EMAIL PROTECTED] wrote:
I believe there are attacks against MD5 that make it insufficient
to verify that the right distfile was downloaded.
You believe incorrectly. All known attacks require that the generator
of the tarball is compromised. That is, there are no
William Allen Simpson wrote:
On 2/15/08, Eric Hall [EMAIL PROTECTED] wrote:
And that is the only relevant issue. Something that a hash cannot solve.
As long as we ONLY use hashes generated by the distfile author, located
on the distfile site, and NEVER generate our own, we'll be fine.
We
On Feb 16, 2008, at 01:49, William Allen Simpson wrote:
On 2/15/08, Eric Hall wrote:
I believe there are attacks against MD5 that make it insufficient
to verify that the right distfile was downloaded.
You believe incorrectly. All known attacks require that the generator
of the tarball is
18 matches
Mail list logo
