http://www.securityweek.com/strongpity- ... unications
Further reason to triply make sure what you're looking for is the official site (always go to DuckDuckGo/Google/Bing first for site verification,, and never come from a link) and not some well-designed fake. And second, to make sure to us GPG and/or strong digital-code signing for verification when downloading anything from the Internet. Outside of the ease today which it is to check md5/sha1/sha256/sha512 sums, GPG verification can still be a bit clumsy. But GPG --keyserver, then --fingerprint, then --verify is always worth the time to perform (from terminal), plus any extra time it initially takes you to learn it & to make it become 2nd nature when downloading anything off the worldwide net. Even things like browsers, i.e. Firefox--always check the sha256 & PLUS the GPG signature signing those. Don't fool yourself thinking that if you see "https://...." in your browser window, when you are downloading from the Internet, that you are completely safe and do not need to worry about anything other than md5/shasum file integrity checking.
I am not aware of any existing on murga, but have always wondered if any of the pup builders would ever include GPG signing, like many small linux (the big ones it is standard practice) distros do, for their pup OS downloads? Creating a PGP key, uploading that key to just one GPG keyserver (which automatically updates all keyservers), is not hard. Yes, the md5/shasums now provided by pup builders are great, but most people still don't understand md5/shasums provide no security. Md5/shasums only check file integrity, i.e., that we are getting the same file as is on that server. But if that server ever gets compromised, we as users would never, ever know until it is too late because the pup distro is not GPG signed & we had no way to check that crucial security (that we are actually getting the PupOS the builder intended).
Pffffft, hey, no sweat, we've nothing to worry about, right?? it's not like servers and/or download sites (even Google's) can ever get compromised.