Opened 12 years ago

Closed 5 years ago

#37667 closed enhancement (fixed)

port lint should complain about using only md5 or sha1 checksums

Reported by: ryandesign (Ryan Carsten Schmidt) Owned by: macports-tickets@…
Priority: Normal Milestone: MacPorts 2.6.0
Component: base Version:
Keywords: Cc:
Port:

Description

port lint should issue a warning if any distfile or patchfile is listed with only an md5 or sha1 checksum, since md5 is a broken algorithm and sha1 is also kind of old by now. The warning message should encourage portfile authors to use both rmd160 and sha256 checksums on each file, like we show in the guide.

Change History (5)

comment:1 Changed 12 years ago by ryandesign (Ryan Carsten Schmidt)

Type: defectenhancement

comment:2 Changed 12 years ago by afb@…

There is no real reason to prefer rmd160 over sha1, though. Might as well use sha256 only, if updating them.

comment:3 Changed 12 years ago by ryandesign (Ryan Carsten Schmidt)

We want to use at least two checksum types for each distfile, so that we never again have a problem if hash algorithm is later found to be deficient in some way. We have for some time already recommended the use of the rmd160 and sha256 pair.

comment:5 Changed 5 years ago by jmroot (Joshua Root)

Milestone: MacPorts FutureMacPorts 2.6.0
Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.