A file without context is often not enough. A README explains what the download is for, how to use it, which version is published and what the user should not expect from it.
A checksum such as SHA256 does not make software safe by itself, but it helps verify that the downloaded file matches the published file.
- the README should explain purpose and basic use;
- the licence should explain what is allowed;
- the hash should support file verification;
- versions should be labelled clearly.
This small discipline saves users from guessing.
