On Wed, Jul 20, 2011 at 10:47:28AM +0100, Kai Hendry wrote: > HTTPS I can _just_ about live with, but that's crappy too really. > Anyone can get a HTTPS cert, so how can you test sanely that it indeed > came from suckless when sucking it down with curl? Surly it's more of > a DNS thang we need to rely on?
Why isn't PGP signing the answer here? You can continue to serve from a simple, insecure connection, without having to pretend that HTTPS' trust model is not broken, and can verify the download perfectly. wget http://dl.suckless.org/tools/dmenu-4.4.tar.gz wget http://dl.suckless.org/tools/dmenu-4.4.tar.gz.sig gpg --verify dmenu-0.4.tar.gz.sig is not that tricky.
