I'd also vote for https. It does not hurt to use a secure channel to download the sources from. It would be great if we as ArchLinux team could make the first step into that direction.
However if you write such a script, it should also check if an https download is available, as not all websites provide https downloads yet (sadly). Using PGP signatures is another discussion, also the hash algorithm. I think we should discuss that in another post, appart from https. From my point of view its highly important to use a strong hash function as its highly important for the source integrity and not only meant as checksum for corruption detection. And as always: more secure does not hurt nowadays Cheers, Nico
signature.asc
Description: OpenPGP digital signature
