Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Re: Please remove Bitcoin from Sourceforge.net
by
Maged
on 17/08/2011, 23:06:25 UTC
Quote from: twobits on August 17, 2011, 04:03:38 PM
Quote from: Maged on August 17, 2011, 03:54:41 PM
Quote from: psy on August 17, 2011, 03:40:11 PM
Quote from: kjj on August 17, 2011, 03:34:05 PM
Do you really think it will be hard for the US gov to make sourceforge put backdoored binaries up on the only mirror we have today?

Fixed that for ya

We would notice within hours if they did that. You see, the SHA-1 hashes of all official releases are PGP signed by a trusted developer, and people DO check them every now and then. It'd be great if we had a bot check them, though.

Thats good. I was surprised that it seemed like they are not.  Would be good to use two different hashes or at least not sha-1 anymore.  Also, it is not obvious at all from the bitcoin.org page.  I just see link to downloads of the binaries, where are the links to the signatures?
What's wrong with just using SHA-1?

The the signed hash list is right along-side the binaries:
http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.24/