Am 31.10.2016 um 15:05 schrieb Dave Reisner: > Asking every upstream to provide a PGP signature isn't a process which > will scale,
I am against enforcing https for projects which provide signatures. As Sebastien pointed out, there are valid reasons against using https and it adds no benefit when using signatures. However, I agree that asking every single author to provide signatures is likely infeasible. > and some of them will likely not be interested in doing such > a thing. Having no interest in signing your work is surely a bad sign. Maybe we should look into dropping such software where we can. > If an upstream won't provide PGP signatures, do you have > another suggestion as to how we can secure our process of obtaining > upstream sources in a reliable manner? You can't. We could mirror the sources and sign them ourselves, but that would require that we actually audit the sources somehow.
signature.asc
Description: OpenPGP digital signature