On Sat, Feb 15, 2014 at 7:04 AM, Roman Cheplyaka <roma@ro-che.info> wrote:

* Peter Simons <simons@cryp.to> [2014-02-15 15:54:57+0100]

> Hi Alexander,
>
> > Is there any where I can find SHA hashes for the official GHC builds?
>
> I don't think the GHC folks publish such hashes anywhere. You might want to
> create a Trac ticket to that extend, because they really should, IMHO.
>
> At the time being, there is no way for you to authenticate those binaries.

This is one thing I never really understood. Can someone explain it
to me? I suppose that SHA hashes are meaningless unless they are
PGP-signed by, say, Austin? So what's the advantage over distributing a
PGP signature for the tarball itself?

For my part, my question was mostly motivated by the tools I'm using, which use SHA hashes. You are right that signing would provide more security, but the tools I'm evaluating use hashes. And I can foresee circumstances in which they provide protection against attack. For example, some large projects mirror the keys. An unannounced change of the hash would get noticed. This is especially true if I keep a copy of the hash. Making hashes is pretty cheap. So is signing. I am not against signing as well, by any means.