After downloading and verifying the releases on ftp://ftp.gnu.org/gnu/, I found that the maintainers used 1024 bit DSA keys with SHA1 content digests. 1024 bit keys are considered to be susceptible to realistic attacks, and SHA1 has been considered broken for some time.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf, p17 https://shattered.io/ SHA1 is weak enough that a team of researchers was able to mount a realistic attack at no great cost. As compilers and their utilities are a high value target I would appreciate it if the maintainers move to more secure verification schemes. Respectfully, R0b0t1.
