[arch-dev-public] todo list for moving http -> https sources
Bartłomiej Piotrowski
bpiotrowski at archlinux.org
Thu Nov 3 18:43:34 UTC 2016
On 2016-10-31 14:19, NicoHood wrote:
> I'd also vote for https. It does not hurt to use a secure channel to
> download the sources from. It would be great if we as ArchLinux team
> could make the first step into that direction.
>
> However if you write such a script, it should also check if an https
> download is available, as not all websites provide https downloads yet
> (sadly).
>
> Using PGP signatures is another discussion, also the hash algorithm. I
> think we should discuss that in another post, appart from https. From my
> point of view its highly important to use a strong hash function as its
> highly important for the source integrity and not only meant as checksum
> for corruption detection. And as always: more secure does not hurt
> nowadays
>
> Cheers,
> Nico
>
Your message appears outside the thread. Please make sure your mail
client is configured correctly as it doesn't help in not exploding the
discussion.
Bartłomiej
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 492 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20161103/18e1a42a/attachment.asc>
More information about the arch-dev-public
mailing list