On Wed, 23 Aug 2017 22:03:41 +0200 Markus Teich <markus.te...@stusta.mhn.de> wrote:
> Hiltjo Posthuma wrote: > > Checksums are available in each project directory, yesterday I've added > > SHA256 checksums. > > > > For example: > > SHA256: http://dl.suckless.org/dwm/sha256sums.txt > > SHA1: http://dl.suckless.org/dwm/sha1sums.txt > > MD5: http://dl.suckless.org/dwm/md5sums.txt > > > > HTTPs will be coming in a few weeks when some things are sorted. Maybe in > > the > > future we can add also add PGP signed releases. > > Heyho, > > I don't see the benefit of checksums without signatures. We already kind of > have > transmission integrity by IP for release downloads or by git. We really need > https, but PGP is probably controversial enough to be discussed. Maybe we have > some time for that at the hackathon, but that would exclude people who cannot > attend. > > Thus, start flaming your highly valued opinions about PGP-signing releases to > the list nao! ;P > > --Markus > If the server's authenticity can be proven with HTTPS, what additional secure does PGP-signatures provide?
pgpyvwYAkUP6J.pgp
Description: OpenPGP digital signature
