[Numpy-discussion] Verify your sourceforge windows installer downloads

David Cournapeau cournape at gmail.com
Thu May 28 09:35:55 EDT 2015

IMO, this really begs the question on whether we still want to use
sourceforge at all. At this point I just don't trust the service at all

Could we use some resources (e.g. rackspace ?) to host those files ? Do we
know how much traffic they get so estimate the cost ?


On Thu, May 28, 2015 at 9:46 PM, Julian Taylor <
jtaylor.debian at googlemail.com> wrote:

> hi,
> It has been reported that sourceforge has taken over the gimp
> unofficial windows downloader page and temporarily bundled the
> installer with unauthorized adware:
> https://plus.google.com/+gimp/posts/cxhB1PScFpe
> As NumPy is also distributing windows installers via sourceforge I
> recommend that when you download the files you verify the downloads
> via the checksums in the README.txt before using them. The README.txt
> is clearsigned with my gpg key so it should be safe from tampering.
> Unfortunately as I don't use windows I cannot give any advice on how
> to do the verifcation on these platforms. Maybe someone familar with
> available tools can chime in.
> I have checked the numpy downloads and they still match what I
> uploaded, but as sourceforge does redirect based on OS and geolocation
> this may not mean much.
> Cheers,
> Julian Taylor
> _______________________________________________
> NumPy-Discussion mailing list
> NumPy-Discussion at scipy.org
> http://mail.scipy.org/mailman/listinfo/numpy-discussion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/numpy-discussion/attachments/20150528/8d105745/attachment.html>

More information about the NumPy-Discussion mailing list