Downloading binaries and executing without checking the authenticity is at least unwise. When binman downloads GCC it should also download and verify the GPG signatures. Additionally binman could hold a list of the SHA256 hashes of all binaries in question for a further check. Best regards Heinrich