> Yeah, that's all up to the channel owners how they want to do things. > The goal is for the users to validate that what they received is valid. > If you're not paranoid, you care that the file downloaded wasn't corrupt > or MITM modified, so SHA1 is sufficient for now. If you're paranoid that > someone may have altered the mirrored copy (and the SHA1 file of course), > you want GPG so you can be sure the files are as intended by your trusted > "author". > > Most people would find the SHA1 file sufficient, the more paranoid among us > would do GPG.
sorry to intercept, but aren't the updated rule files that you plan to publish code that is instantly executed as fetched? If gpg checking won't be common everyone with write access to one of the public mirror servers will be able to get thousands of zombie systems under his control within hours. We've seen breakins at some well respected open source sites within the last months (e.g. debian). But the damage was minor because only few people downloaded the malicous code before it was found and removed. This will be different with an automatic update system... So I propose to make the gpg signing mandatory or at least spit out some big red letters before disabling. Kind regards, Gerd
