Thanks, but I don't understand why they would put them in the release announcement instead of the download page. Everyone wanting to download this software will head straight to the download link and won't jave time to hunt for blog posts.
Also sha1 should be avoided nowadays, but at least it's not md5...
Well, the reason is that I went crazy from people mailing me "what are those numbers? what should I do with them? They are scary!!!" We had to make the download page as simple as possible -- and I still get mails from people who cannot figure out how to download Krita. Several, per week.
If you're the site maintainer please consider adding a link to the KDE https downloads or a link to the checksums somewhere on the download page, in the source code tab or even at the bottom.
Good enough for verifying integrity in transit ("the line didn't mangle any bits"). Without a side channel, that's all the hashes are good for (if someone can get a rogue version on a site, they can also change the hashes displayed on the same site).
Also sha1 should be avoided nowadays, but at least it's not md5...