> you can probably convince us to send full-vetted SQLite source files or builds …which would also solve the problem with using such hashes in the first place: if you're worried that the remote host might be serving untrustworthy binaries, why are you trusting the hashes posted right alongside those binaries? If someone can modify one, then why not the other? Please, someone explain to me the value of having *any* hash, no matter how strong, on the same page as the link to a given file? drh's suggestion is a much more reliable option than any of this faffing about with SHA-3 programs.