[AsyncAwait]

This seems to be the same problem that many open-source projects have, where the md5 hash to verify your download is at a single, (often the same) location.

One possible solution would be to use Twitter pinned tweet to also announce the address, however it's questionable how many people would actually cross check.

[Cshelton]

I know given the thread this is in makes it ironic, but a public blockchain would actually serve as a pretty good place to keep a check sum ;p You would check the official blockchain address for a repository and know that the checksum there has not been modified. As long as the process of creating the transaction is done correctly.

[ericfrederich]

I always found that fascinating myself, serving the download and checksum from the same source.

Doesn't http have enough redundancy checks built in to make this pointless? The only time to really do a checksum isn't on a browser download, it's when you push it over some serial connection, or android adb or something else.

[sjbase]

I suppose the "Here's the MD5 for your download" concept is useful if the file is being served from a different host than the website itself. Someone could tamper with the file server, but may not have access to the HTML rendering a link to that file server.

But you're right about serving the data & checksum from the same source. I don't see what extra layer of security or integrity it adds. Someone tampering with server file system, or the data transfer (MitM) inherently has the access they need to inject their own MD5 into the HTML.

[simias]

It's useful if you have already downloaded the file from somewhere else and want to check if it's the right one without downloading everything from scratch.

Furthermore it's very much possible to get corrupt data over HTTP if you have a poor connection and download a big file.

If you want a really secure "checksum" you best bet is probably a GPG signature file from a wildly distributed and trusted key.

[urethrafranklin]

If someone can MITM your download, in many scenarios they could MITM twitter as well.