> On Wed, May 14, 2014 at 17:55, Marc Espie wrote: > > There's no point in providing SHA256.sig for packages. For one thing, it > > goes out of synch rather easily. For another thing, it's redundant with > > the package signatures themselves. THAT SHA256 file exists only to make it > > easier to check that a transfer went out okay. It's not there to protect > > against any kind of malice... > > I'm inclined to say that if something looks like it could be used to > protect against malice, we should sign it. Or not provide it. > > Providing a mix of signed and unsigned SHA256 files would be a > dangerous inconsistency in my mind.
Unfortunately that is not how the mirrors update.....
