While we are on this side topic, I would like to point out that hosting the signature files right along side the binaries is also probably not the best idea. If I can replace files on sf I would just replace both now.
Sure, you could replace SHA1SUMS.asc, but you wouldn't be able to change it without invalidating the PGP signature.
Should be true, but where does it show who is supposed to be signing it and the information for me to check it? Right now if someone else signed it , or it even showed up as an unsigned file, as a user, downloading from the links on the front page, would I ever know? I still need more information from a source that is not sf to test this.