On Fri, Aug 23, 2019 at 11:08 AM Stuart Barkley <stua...@4gh.net> wrote: > > Is it possible for these email announcements to include the MD5 and > SHA1 information that is contained on the download page. I like to > verify the checksums using a different channel than that used to > retrieve the software.
not that i want to deride anyone's efforts to verify integrity of OSS software, i just want to point out that using an unverified source to verify a source isn't exactly prudent. if Tim signed his emails with a pgp key then what you want would to do would be great, but he doesn't. At least the website is SSL so you can at least trust you're getting them from a verified source course if someone hacks the website and changes the tarballs plus the md5's well then you lose. but anyone can send unverified emails as well
