Am 31.10.2016 um 15:05 schrieb Dave Reisner:
Asking every upstream to provide a PGP signature isn't a process which will scale,
I am against enforcing https for projects which provide signatures. As Sebastien pointed out, there are valid reasons against using https and it adds no benefit when using signatures. However, I agree that asking every single author to provide signatures is likely infeasible.
and some of them will likely not be interested in doing such a thing.
Having no interest in signing your work is surely a bad sign. Maybe we should look into dropping such software where we can.
If an upstream won't provide PGP signatures, do you have another suggestion as to how we can secure our process of obtaining upstream sources in a reliable manner?
You can't. We could mirror the sources and sign them ourselves, but that would require that we actually audit the sources somehow.