On Mon, Nov 27, 2017 at 7:38 AM, Chris Clayton via gegl-developer-list
<gegl-developer-list@gnome.org> wrote:
> Hi
> gegl-0.3.24 and babl-0.1.38 have been released recently, but in neither case 
> have the SHA<n>SUMS files been regenerated.
> Where possible, I like to verify sources before building and installing on my 
> system. I'm sure I'm not alone in this.

For downloads directly from https://download.gimp.org/ - these
checksums provide about as much verification as the bz2 compression
itself, if the download is corrupted the unpacking of the archives
would fail, a malicious attacker that hacked into download.gimp.org
would be able to change both the archive and checksums anyways. These
checksum files are most useful for mirrors when mirroring as well as
manual checking of something downloaded from a mirror against
checksums gotten directly from download.gimp.org; and they've been
updated now.

gegl-developer-list mailing list
List address:    gegl-developer-list@gnome.org
List membership: https://mail.gnome.org/mailman/listinfo/gegl-developer-list

Reply via email to