FWIW, as someone who mostly just a user of suckless stuff, I like OpenPGP signing too. I don't have a strong opinion of git tags vs tarballs for signing, either is good. It's nice to have a properly secure proof of authenticity that doesn't depend on the link not being compromised.
I'm really glad HTTPS is going to be rolled out to suckless.org soon, thanks for that! Personally I've gone off the web of trust model somewhat, it somewhat depends on long-lived keys, which given the lack of PFS is hard to manage securely. But OpenPGP signatures on software, from developers, is great. I plan of just doxing all of the suckless devs and knocking on their doors demanding to see their signatures. Much better. Or maybe checking them once on a different band to where I get the software... All depends on my mood. Nick Quoth Markus Teich: > Hiltjo Posthuma wrote: > > Checksums are available in each project directory, yesterday I've added > > SHA256 checksums. > > > > For example: > > SHA256: http://dl.suckless.org/dwm/sha256sums.txt > > SHA1: http://dl.suckless.org/dwm/sha1sums.txt > > MD5: http://dl.suckless.org/dwm/md5sums.txt > > > > HTTPs will be coming in a few weeks when some things are sorted. Maybe in > > the > > future we can add also add PGP signed releases. > > Heyho, > > I don't see the benefit of checksums without signatures. We already kind of > have > transmission integrity by IP for release downloads or by git. We really need > https, but PGP is probably controversial enough to be discussed. Maybe we have > some time for that at the hackathon, but that would exclude people who cannot > attend. > > Thus, start flaming your highly valued opinions about PGP-signing releases to > the list nao! ;P > > --Markus >
