I do like the idea that a hacker cannot change the signature file if gaining access to the web/file hosts, but how to verify it in secure way?
For Linux sources there's MD5 and SHA-1 hashes i believe. If you have two or three hashes for comparison, the likelyhood of someone changing something without those two changing seems VEEEERY low.
