> I'd like to remove the SHA1 hashes now[0] and stop new ones
> from being generated, since they do nothing but waste CPU cycles.
> This leaves us with SHA512 and RMD160. Using at least two different
> hashes is a good idea, in case one is found to be broken.
Looks like agc explicitly added RMD160/SHA512 hashes to all distinfo
files in 2015? If that's the case, yeah, I think it's fine to nuke
the SHA-1 distfile info.
Well, technically, RMD160 digests were added (in addition to SHA1) in 2005, and SHA512 in 2015; but, whatever, the idea behind multiple digests was defence in depth, and that even if one digest was "broken", then the others would act together with the broken one to protect the distfiles (so I disagree about the wasting CPU cycles part in the quoted text), but quibbles aside, it's the right move to make.
Completely agree about digest's technical flaws, but it's not really been fundamentally changed since it was introduced (DIGEST_REQD in mk/tools/
digest.mk is 20010302), and we're all 20 years older than we were. As well as the deficiencies moof mentioned, it could also do with splitting into a separate library package (using the same sources).
Also, digest includes blake2b, but not 2s. I guess not everything's an amd64.