[arch-general] secure package signing related websites (was: Re: Keyring package for real)

Christian Hesse list at eworm.de
Sun Mar 4 05:22:38 EST 2012


Hello everybody,

(As I am not allowed to post to arch-dev-public resending it here.)

ok, not really related to the keyring package, but it came to my mind when
installing it and while signing the key:

I think it makes sense to not allow pages related to package signing being
delivered via http. Instead automatically redirect to https to avoid man in
the middle attacks. First site that comes to my mind:
https://www.archlinux.org/master-keys/
-- 
Best regards,
Chris
                         O< ascii ribbon campaign
                   stop html mail - www.asciiribbon.org


More information about the arch-general mailing list