[arch-general] [arch-dev-public] Can we trust our mirrors?

[solsTiCe d'Hiver]

i like the original idea of pierre. i had the same one ;-)

because it's easier to implement and could be done quite quickly. it's
quite time to shift to something a little more secure, even if it's not
the *most* secure one. 
as soon the db is signed, we have a minimum security (not total i know,
i read about the exploit in this thread)

package signing could be a second step as it will take even longer to
complete (more work to be done in pacman and more things to agree upon)

in fact, i suggest a two steps approach.