On 20 July 2011 10:41, ilf <i...@zeromail.org> wrote: > On 07-20 10:20, Kai Hendry wrote: > Both HTTPS and SHA(1|256) shouldn't really be a problem.
You mean HTTPS download and publishing the SHA somewhere? "publishing the SHA" sounds crappy to me. How do you do it? In a wiki? In a text file? All suck. HTTPS I can _just_ about live with, but that's crappy too really. Anyone can get a HTTPS cert, so how can you test sanely that it indeed came from suckless when sucking it down with curl? Surly it's more of a DNS thang we need to rely on?