Willy, Am 31.07.2018 um 20:32 schrieb Willy Tarreau: > That's where I disagree, it's exactly the same argument causing TLS to > appear on every web site even when not necessary, making people believe > they are safe while they are not. Right now you don't have this PGP > signature so you are careful about what you retrieve. And that's the > reason why you're talking about it by the way, because verifying all > this is painful on your side. But if I start to claim "look, no need > to double-check anymore, trust me, it's safe", you won't run this > extra safety check once in a while. But the process involved in placing > this signature may not be safer than the one involved in the checksum. > > With this said, I'll take a look at Bertrand's proposal, which I think > does satisfy my needs.
To nitpick this still would require you to trust the binaries (e.g. tar) on the haproxy.org machine :-) Anyway: I am disgressing here and will patiently await whether or not there will be PGP signatures in the future. Best regards Tim Düsterhus
