[arch-general] gpg source validation for kernel.org style signatures

Daniel Micay danielmicay at gmail.com
Mon Jan 5 09:19:20 UTC 2015

> I do not think we need HTTPS, though it does not hurt. If anybody tries to
> fool us with man-in-the-middle via HTTP we should detect that just fine with
> broken signatures (given signatures are provided...).

Well, I mean when no signatures are available. It's not really that
common for upstream to sign the packages :(. HTTPS is pretty common
though, especially considering all of the projects hosted on sites like

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150105/0ee2af59/attachment.bin>

More information about the arch-general mailing list