[arch-dev-public] todo list for moving http -> https sources

Gaetan Bisson bisson at archlinux.org
Tue Nov 1 02:14:08 UTC 2016

[2016-10-31 15:19:40 +0100] NicoHood:
> I'd also vote for https. It does not hurt to use a secure channel to
> download the sources from. It would be great if we as ArchLinux team
> could make the first step into that direction.
> Using PGP signatures is another discussion, also the hash algorithm. I
> think we should discuss that in another post, appart from https. From my
> point of view its highly important to use a strong hash function as its
> highly important for the source integrity and not only meant as checksum
> for corruption detection.

You know HTTPS uses hash functions too, right? And you know they are in
many cases much weaker than those GnuPG uses by default, right?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20161031/08584673/attachment.asc>

More information about the arch-dev-public mailing list