> I do not think we need HTTPS, though it does not hurt. If anybody tries to > fool us with man-in-the-middle via HTTP we should detect that just fine with > broken signatures (given signatures are provided...).
Well, I mean when no signatures are available. It's not really that common for upstream to sign the packages :(. HTTPS is pretty common though, especially considering all of the projects hosted on sites like github.
signature.asc
Description: OpenPGP digital signature
