[luizcdc]

I don't understand what's the harm of having a releases page with a binary and its md5 hash, or how that keeps anyone from just compiling an unofficial binary themselves and adding malware to it.

Anyone not technical enough to compile a binary has to give up trying to use it or risk some unnoficially distributed executable .

[pmoriarty]

An md5 can be created for the trojaned binary and be posted along with it.

Not to mention that the md5 checksum is a very poor choice for this purpose because of the ease of creating md5 collisions.

[hattmall]

But not on the official page, right? And there's nothing stopping someone from doing that now is there? I don't see how the original authors providing binaries is less secure than anything else.

[pmoriarty]

The official page can be hacked, and both malware and md5 of the malware can be placed there.

That's the whole point of using a cryptographic signature backed by a web of trust instead of a mere hash.

[robertlagrant]

Where would the hash be advertised?

[thdespou]

Yeah but still hackers can abuse SEO and direct visits to their pages. If you are not careful you might accidentally download a malicious binary.