> It currently seems impossible to verify downloads from a computer > without OpenBSD, for a few reasons: > > 1. No securely-distributed public key > 2. Lack of signify packages in e.g. Linux distros, or > securely-distributed sources > > To keep things simple, I propose mirrorring SHA256SUM files onto the > main website and making them available over HTTPS. This allows new > users to easily verify images.
I propose we keep it even simpler, and don't do what you propose. Tired of the suggestions. The end.