While we are on this side topic, I would like to point out that hosting the signature files right along side the binaries is also probably not the best idea. If I can replace files on sf I would just replace both now.
Sure, you could replace SHA1SUMS.asc, but you wouldn't be able to change it without invalidating the PGP signature.
Should be true, but where does it show who is supposed to be signing it and the information for me to check it? Right now if someone else signed it , or it even showed up as an unsigned file, as a user, downloading from the links on the front page, would I ever know? I still need more information from a source that is not sf to test this.
The simple reality is, if you don't already know who the trusted developers are, how could you trust who the site says should be signing it? Point is, it'd create a false sense of security if the site said who can be trusted to sign the files.
As long as
somebody can verify the files as having not come from a trusted developer, the word will spread that SourceForge was hacked. That would be the end of SourceForge.
By the way, Jeff Garzik is a trusted developer.