Opened 11 years ago
Closed 4 years ago
#37667 closed enhancement (fixed)
port lint should complain about using only md5 or sha1 checksums
| Reported by: | ryandesign (Ryan Carsten Schmidt) | Owned by: | macports-tickets@… |
|---|---|---|---|
| Priority: | Normal | Milestone: | MacPorts 2.6.0 |
| Component: | base | Version: | |
| Keywords: | Cc: | ||
| Port: |
Description
port lint should issue a warning if any distfile or patchfile is listed with only an md5 or sha1 checksum, since md5 is a broken algorithm and sha1 is also kind of old by now. The warning message should encourage portfile authors to use both rmd160 and sha256 checksums on each file, like we show in the guide.
Change History (5)
comment:1 Changed 11 years ago by ryandesign (Ryan Carsten Schmidt)
| Type: | defect → enhancement |
|---|
comment:2 Changed 11 years ago by afb@…
comment:3 Changed 11 years ago by ryandesign (Ryan Carsten Schmidt)
We want to use at least two checksum types for each distfile, so that we never again have a problem if hash algorithm is later found to be deficient in some way. We have for some time already recommended the use of the rmd160 and sha256 pair.
comment:4 Changed 6 years ago by herbygillot (Herby Gillot)
This can probably now be closed as per:
-and-
comment:5 Changed 4 years ago by jmroot (Joshua Root)
| Milestone: | MacPorts Future → MacPorts 2.6.0 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
There is no real reason to prefer rmd160 over sha1, though. Might as well use sha256 only, if updating them.