[arch-dev-public] todo list for moving http -> https sources
bisson at archlinux.org
Tue Nov 1 02:14:08 UTC 2016
[2016-10-31 15:19:40 +0100] NicoHood:
> I'd also vote for https. It does not hurt to use a secure channel to
> download the sources from. It would be great if we as ArchLinux team
> could make the first step into that direction.
> Using PGP signatures is another discussion, also the hash algorithm. I
> think we should discuss that in another post, appart from https. From my
> point of view its highly important to use a strong hash function as its
> highly important for the source integrity and not only meant as checksum
> for corruption detection.
You know HTTPS uses hash functions too, right? And you know they are in
many cases much weaker than those GnuPG uses by default, right?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: not available
More information about the arch-dev-public