31 Oct
2016
31 Oct
'16
10:14 p.m.
[2016-10-31 15:19:40 +0100] NicoHood:
I'd also vote for https. It does not hurt to use a secure channel to download the sources from. It would be great if we as ArchLinux team could make the first step into that direction.
Using PGP signatures is another discussion, also the hash algorithm. I think we should discuss that in another post, appart from https. From my point of view its highly important to use a strong hash function as its highly important for the source integrity and not only meant as checksum for corruption detection.
You know HTTPS uses hash functions too, right? And you know they are in many cases much weaker than those GnuPG uses by default, right? -- Gaetan