On 23/02, Christian Rebischke wrote:
On Mon, Feb 22, 2016 at 04:55:17PM +0100, Levente Polyak wrote:
On February 22, 2016 4:22:40 PM GMT+01:00, Christian Rebischke <Chris.Rebischke@archlinux.org> wrote:
Maybe we should also sign the ISO with a GPG-Key.
I don't mean that we should remove the MD5 checksum but we should add some other checksum and sign the ISO.
The ISO is actually signed, above the mentioned checksums [0] you can find the signature file [1].
Cheers, Levente
[0] https://www.archlinux.org/download/ [1] https://www.archlinux.org/iso/2016.02.01/archlinux-2016.02.01-dual.iso.sig
Sorry guys, there I was too fast and inattentive. But, however, what do you think about adding a stronger checksum to it? I know that a GPG-signatures + MD5 or SHA1 would be enough but I know enough people who just check the checksum and don't care about signatures.
The checksums aren't for security, and anyone who replaced the tarball could most likely change the checksum as well. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/