On 2016-10-31 14:19, NicoHood wrote: > I'd also vote for https. It does not hurt to use a secure channel to > download the sources from. It would be great if we as ArchLinux team > could make the first step into that direction. > > However if you write such a script, it should also check if an https > download is available, as not all websites provide https downloads yet > (sadly). > > Using PGP signatures is another discussion, also the hash algorithm. I > think we should discuss that in another post, appart from https. From my > point of view its highly important to use a strong hash function as its > highly important for the source integrity and not only meant as checksum > for corruption detection. And as always: more secure does not hurt > nowadays > > Cheers, > Nico >
Your message appears outside the thread. Please make sure your mail client is configured correctly as it doesn't help in not exploding the discussion. Bartłomiej
signature.asc
Description: OpenPGP digital signature