On 2016-10-31 14:19, NicoHood wrote:
I'd also vote for https. It does not hurt to use a secure channel to download the sources from. It would be great if we as ArchLinux team could make the first step into that direction.
However if you write such a script, it should also check if an https download is available, as not all websites provide https downloads yet (sadly).
Using PGP signatures is another discussion, also the hash algorithm. I think we should discuss that in another post, appart from https. From my point of view its highly important to use a strong hash function as its highly important for the source integrity and not only meant as checksum for corruption detection. And as always: more secure does not hurt nowadays
Cheers, Nico
Your message appears outside the thread. Please make sure your mail client is configured correctly as it doesn't help in not exploding the discussion. Bartłomiej