Hi, I don't see how https helps with any such attack. What I always pointed out is to use checksums. e.g. the webseed torrent files here http://files.sagemath.org/torrents.html have checksums and what would be missing is to sign them. AFAIK there is no official public/private key for files on sagemath.org, but we could create one and sign files containing checksums. We can also add the fingerprint of the key to the source code. (which makes me wonder if we are maybe already signing the tagged releases in git?)
-- h -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
