On Mon, Nov 27, 2017 at 7:38 AM, Chris Clayton via gegl-developer-list <firstname.lastname@example.org> wrote: > Hi > > gegl-0.3.24 and babl-0.1.38 have been released recently, but in neither case > have the SHA<n>SUMS files been regenerated. > > Where possible, I like to verify sources before building and installing on my > system. I'm sure I'm not alone in this.
For downloads directly from https://download.gimp.org/ - these checksums provide about as much verification as the bz2 compression itself, if the download is corrupted the unpacking of the archives would fail, a malicious attacker that hacked into download.gimp.org would be able to change both the archive and checksums anyways. These checksum files are most useful for mirrors when mirroring as well as manual checking of something downloaded from a mirror against checksums gotten directly from download.gimp.org; and they've been updated now. /pippin _______________________________________________ gegl-developer-list mailing list List address: email@example.com List membership: https://mail.gnome.org/mailman/listinfo/gegl-developer-list