On Wed, 2016-05-25 at 16:18 -0600, Theo de Raadt wrote: > > It currently seems impossible to verify downloads from a computer > > without OpenBSD, for a few reasons: > > > > 1. No securely-distributed public key > > 2. Lack of signify packages in e.g. Linux distros, or > > securely-distributed sources > > > > To keep things simple, I propose mirrorring SHA256SUM files onto the > > main website and making them available over HTTPS. This allows new > > users to easily verify images. > > I propose we keep it even simpler, and don't do what you propose. > > Tired of the suggestions. > > The end. > >
Well, you could certainly put the key and signify sources on the main website. The CVS thing doesn't seem to be HTTPS-enabled. But somehow, I get the feeling you don't want any sort of fix.