Well that is scary. I personally don't check ISO checksums and signatures very often. Probably the only time I do is when I sometimes get install errors and wonder if I got all the bits and if anything got corrupted.
I've grown obsessive about it. When you're conscious about that it's amazing (to put mildly) how many prominent projects don't bother with any authentication.
If they managed to hack the site to point to the new iso, they probably also changed any checksums. Signatures help, if you have a way to verify that you are using the right key.
I've grown obsessive about it. When you're conscious about that it's amazing (to put mildly) how many prominent projects don't bother with any authentication.