Hi, Many thanks for listing me on your developer map.
On sagemath.org I go to Download source [1] then I choose mirror [2] On the mirror I see: sage-10.5.tar.gz torrent 1535.20 MB 2024-12-04 00:28 MD5: 83dab794f87e989a30e248f3b39c40db There are several potential issues with this: 1. If the mirror is compromised or MITM'ed, it could provide whatever checksum. There is unencrypted "http://"; mirror University of Washington, Seattle, WA, USA [3] Is this a real concern? 2. The MD5 hash function is deprecated since years and considered broken. One possible approach is to sign with gpg the tarballs or only the hashes. [1] https://www.sagemath.org/download-source.html [2] https://sage.mirror.garr.it/mirrors/sage/src/index.html [3] http://files.sagemath.org/src/index.html -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/sage-devel/CAGUWgD-N8%3DQcsHfWnvthF8k%3D9yx%3DumFm8uao5T9BDQz0pDTJeg%40mail.gmail.com.
