Description
Please add hashsums to the downloads.
This would only take a minute or so and is one of the most basic, necessary and easiest steps one can take to ensure integrity of software.
It would be best to sign the hashed downloads with GPG but adding hashsums would be good enough. Some more info here.
Note that the hashsum only verifies the integrity of the built binary, not that the built binary matches the public source code of this repository. The next step would be for the package to be reproducible so that when other people build the binary it has the same hashsum.
It is so simple to solve that this short info obtained via sha512sum ./cosmonium-0.2.1_manylinux1_x86_64.tar.gz almost closes the issue: c963a41a94447b756c2f11e0c0bdc9a5ae517e69fdb766db615424c64938d783f138781bca10d44e8a0d685d41c02fbf11568f078b88a631540eae9987447374 for Linux : cosmonium-0.2.1_linux_x86_64.tar.gz of the Downloads page.