[nadams]

I recall a story about an infected version of qemu (might have happened to other software) for Windows. Basically they hacked the site, replaced the binaries with infected ones AND updated the hashes.

I also recall one or two stories where the binaries were infected but the hashes not updated - this was obviously caught pretty quickly and fixed.

However, I remember a time when Firefox served downloads directly from their mirrors. This case could be good for comparing hashes - but now it looks like they use Amazon's cloudfront.

But yes - for the average guy generating a hash for your releases (where your release and hash comes from the same server) doesn't provide any real benefit.