Re: [Valgrind-users] Valgrind 3.13.0 tarball hosted at sourceware.org - legit or not?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 2017/06/16 22:55, John Reiser wrote:
> On 06/16/2017 06:31 AM, Zhiming Wang wrote:
>> By the way, just a suggestion, maybe you could publish the
>> SHA-256 checksums of release tarballs instead of MD5?
> 
> Please also publish the exact length in bytes.
> This is worth _more_ than expanding the width of the checksum,
> because it is easier (much easier) to produce checksum collisions
> by extending the length.
> 
> 

It's not signed (by PGP/GPG, for example), is it? I realized that it is 
not.(!)
(I saw no trace of signature files for verification on my local PC.)

I know all the pitfalls of signing by open keys, but it still adds a 
layer of confidence, much better than a single checksum as noted above.

Thank you again for sharing a great piece of software.

TIA