While we are on this side topic, I would like to point out that hosting the signature files right along side the binaries is also probably not the best idea. If I can replace files on sf I would just replace both now.
Sure, you could replace SHA1SUMS.asc, but you wouldn't be able to change it without invalidating the PGP signature.
Should be true, but where does it show who is supposed to be signing it and the information for me to check it? Right now if someone else signed it , or it even showed up as an unsigned file, as a user, downloading from the links on the front page, would I ever know? I still need more information from a source that is not sf to test this.
The simple reality is, if you don't already know who the trusted developers are, how could you trust who the site says should be signing it? Point is, it'd create a false sense of security if the site said who can be trusted to sign the files.
As long as
somebody can verify the files as having not come from a trusted developer, the word will spread that SourceForge was hacked. That would be the end of SourceForge.
By the way, Jeff Garzik is a trusted developer.
hmm...
http://sourceforge.net/apps/wordpress/sourceforge/2011/01/27/sourceforge-net-attack-update/ they still seem to be around, also recall issues 7 years or so back. They also do not need to compromise sf, just the accounts that can update the bitcoin stuff. Hopefully it is not the same user account that can update the binaries and change the bitcoin.org page!
The simple idea is that adding another factor makes distributing compromised binaries a lot more likely to be caught quickly. It also gives me as a user some steps I can take to try and protect myself, rather then waiting for someone else to maybe verify it. How often is it being checked really? When set up properly I should at least know that it required tampering with two sites and/or two different users to spoof me. (of course I need to make sure my dns is not spoofed etc etc.... but this would still be a lot better then how it is right now)
It still all is moot though. As the bitcoin.org site itself is hosted on sourceforge. So even now that I know this, I am still not protected, as you are right I can not trust the site to confirm sf is not giving me bad files, even knowing who's sig to now check.
One issue brought up was what if some government orders sf to plant a tampered binary. They say give all those Freedoinians this binary instead. Now sf sets up geotargeting so they get those binaries and their version of the sf page. Even knowing to check it with Jeff's signature, they get results that say it is ok. Odds that the people that do check the signature are in the targeted country are also pretty low. If the person that can check is not being targeted, it does not matter that they can check even if they do it ever minute.