On Sat, Dec 3, 2016 at 6:27 AM, fnodeuser <subscription at binkmail.com> wrote: > https://lists.archlinux.org/pipermail/arch-dev-public/2016-November/028492.html I would suggest considering TUF - The Update Framework or stealing their signing scheme which withstands all kinds of attack scenarios.