|Message: md5 hashes: request for rmd160 or sha256||Not Logged In (login)|
Click on the Forum title, e.g. on the "Forums by Category" page, to read a sequence of postings to the Forum and its threads all in one page. If you are only interested in one thread or the thread following a specific posting, click the thread or the posting, which takes you to a smaller page, which contains only the part you are interested in and may be easier to navigate.
Messages are "chained" if there are only replies at the first level, i.e. 1/1.html, 1/1/1.html etc. In case of "chained" messages the message number is replaced by the icon and there is no indentation.
Inline: Display the subject line only or also the text of the posting(s); for the choice "All" the "Outline" choices are switched off.
|1||0||1||no text / full text of posting|
|2||1||All||text for level 1 only / text for All postings|
Outline: Choose the depth of the posting thread, successive toggle controls provide increasing detail.
|1||2||1||2 levels / 1 level (original posting)|
|2||3||2||3 levels / 2 levels|
|3||3||All||3 levels / all levels (all postings)|
I'm trying to create a new Geant4 package for MacPorts (current package is for version 9.4 and is based on GNU make). I was using MD5 checksums from cmake/Modules/Geant4DatasetDefinitions.cmake, but other developers urged me to add rmd160 and sha256 checksums for security reasons.
Citing Ryan Schmidt:
md5 is an insecure algorithm and should no longer be used on its own as a means of verifying anything. If that's all upstream publishes, then you can use it in a portfile, in addition to a secure algorithm like rmd160 or sha256, but please ask upstream to switch to a secure checksum method for their published values. ... Certainly if a malicious hacker can replace the software tarball on the original site with an altered version, they can probably replace the checksums on the web page as well.
But I want to make sure you understand that because of flaws in the md5 algorithm that make it possible to create collisions, the following events can occur:
- developer releases new version of software, publishing its md5 checksum
- later, a hacker releases a different tarball containing malicious software but which has the same md5 checksum; perhaps they cannot post it to the original server, but maybe they can compromise a mirror.
- you write a portfile for the new version, fetching the file from a compromised mirror; you verify the md5 checksum with what upstream published and it matches; you generate new rmd160 and sha256 checksums of the compromised file and put them in the portfile
- the software you now install via the portfile is not the software the developer developed
The solution is for upstream to cease using md5 as their distfile integrity verification method and switch to an algorithm that does not have such vulnerabilities.
|Inline Depth:||Outline Depth:||Add message:|