However the only official GASNet distributions are in source form with published MD5 sums to validate authenticity.
GASNet builds are highly tuned to the target system, thus users are always recommended to build from source for reasons of performance and functionality, which also happens to invalidate the security concerns raised at the attached site.
Finally, the PR below definitely does NOT address all the sources of non-determinism in the binary output of GASNet builds, which has never been a design goal of the library.
Bernhard M. Wiedemannauthor
We do ship gasnet binary packages in our openSUSE and SUSE Linux Enterprise Server 12 SP4 distributions.
Fedora ships binaries, too.
The only other non-determinism I had seen earlier was with `GASNETI_CACHE_LINE_BYTES` in `gasnet_config.h` , but could not reproduce that anymore with 1.30
None of binary packages you mention are supported or endorsed by the GASNet development team. Those packages are generated by making unsupported modifications to the GASNet build process (see pull request #36).
GASNet's BSD license means we cannot prohibit the creation of such packages, but we do not vouch for the build integrity of those binary packages or suitability for any purpose - any issues regarding those binaries or questions of their integrity should be directed to those binary package maintainers.
The only officially supported and recommended means to use GASNet is to build from the source release tarballs published on our website.