[arch-dev-public] todo list for moving http -> https sources

NicoHood arch-dev at nicohood.de
Mon Oct 31 14:19:40 UTC 2016

I'd also vote for https. It does not hurt to use a secure channel to
download the sources from. It would be great if we as ArchLinux team
could make the first step into that direction.

However if you write such a script, it should also check if an https
download is available, as not all websites provide https downloads yet

Using PGP signatures is another discussion, also the hash algorithm. I
think we should discuss that in another post, appart from https. From my
point of view its highly important to use a strong hash function as its
highly important for the source integrity and not only meant as checksum
for corruption detection. And as always: more secure does not hurt


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20161031/e29ceb80/attachment.asc>

More information about the arch-dev-public mailing list