Let's download Flume from http://flume.apache.org/. Look for the download link in the side navigation. You'll see two compressed
.tar archives available along with the checksum and GPG signature files used to verify the archives. Instructions to verify the download are on the website, so I won't cover them here. Checking the checksum file contents against the actual checksum verifies that the download was not corrupted. Checking the signature file validates that all the files you are downloading (including the checksum and signature) came from Apache and not some nefarious location. Do you really need to verify your downloads? In general, it is a good idea and it is recommended by Apache that you do so. If you choose not to, I won't tell.
The binary distribution archive has
bin in the name, and the source archive is marked with
src. The source archive contains just the Flume source code. The binary distribution is much larger because it contains not only the Flume source...