On the downloads page, there are links to download individual packages and their SHA1 checksums.
These links point to piccolo.link and then to sbt-downloads.cdnedge.bluemix.net. The problem is that the checksums are also linked/hosted on those same sites.
While this arrangement might be useful for error checking, it is not useful for verifying the integrity of the packages.
To enable integrity checking of the downloaded packages, please host the checksums on the same host as the website, ideally by expanding the checksum in the html itself.
Alternatively / additionally, you could add a link to the github release page, which has the checksum files (though they get served via Github's CDN).
An assumption in my request is that Github and scala-sbt.org are well known and hence more trusted by most people.
On the downloads page, there are links to download individual packages and their SHA1 checksums.
These links point to
piccolo.link
and then tosbt-downloads.cdnedge.bluemix.net
. The problem is that the checksums are also linked/hosted on those same sites.While this arrangement might be useful for error checking, it is not useful for verifying the integrity of the packages.
To enable integrity checking of the downloaded packages, please host the checksums on the same host as the website, ideally by expanding the checksum in the html itself.
Alternatively / additionally, you could add a link to the github release page, which has the checksum files (though they get served via Github's CDN).
An assumption in my request is that Github and scala-sbt.org are well known and hence more trusted by most people.