[arch-general] gpg source validation for kernel.org style signatures
danielmicay at gmail.com
Mon Jan 5 09:19:20 UTC 2015
> I do not think we need HTTPS, though it does not hurt. If anybody tries to
> fool us with man-in-the-middle via HTTP we should detect that just fine with
> broken signatures (given signatures are provided...).
Well, I mean when no signatures are available. It's not really that
common for upstream to sign the packages :(. HTTPS is pretty common
though, especially considering all of the projects hosted on sites like
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-general