7 Dec
2016
7 Dec
'16
11:24 p.m.
On Wed, 7 Dec 2016 11:44:11 +0100
Bennett Piater
Maybe giving a warning ("source authenticity was not verified due to lack of GPG signature") would work?
I find this a great idea. It's transparent, and this way people get frequently reminded about that security issue. Or like sivmu said:
A big fat warning about missing validation should automatically be generated in any package that misses signatures or at least https source downloads.
Regards,
Merlin
--
Merlin Büge