7 Dec
2016
7 Dec
'16
11:44 a.m.
On 12/07/2016 11:17 AM, Gregory Mullen wrote:
If the argument left is, I don't want (better checksum) because it's shouldn't be thought of as a security check, and I want a security check.
Why can't the requirement be PGP sig's are now required, and we drop the checksum completely?
Won't work because many upstreams don't provide signatures. Maybe giving a warning ("source authenticity was not verified due to lack of GPG signature") would work? -- GPG fingerprint: 871F 1047 7DB3 DDED 5FC4 47B2 26C7 E577 EF96 7808