[2016-10-31 15:19:40 +0100] NicoHood: > I'd also vote for https. It does not hurt to use a secure channel to > download the sources from. It would be great if we as ArchLinux team > could make the first step into that direction. > > Using PGP signatures is another discussion, also the hash algorithm. I > think we should discuss that in another post, appart from https. From my > point of view its highly important to use a strong hash function as its > highly important for the source integrity and not only meant as checksum > for corruption detection.
You know HTTPS uses hash functions too, right? And you know they are in many cases much weaker than those GnuPG uses by default, right? -- Gaetan
signature.asc
Description: PGP signature
