> I agree or just a simple HTTPs browser bookmark. I think thats better on > many > levels, for example otherwise someone can also spoof a plain HTTP redirect.
Browser distributors had the chance to implement something like this, plus client side certificate pinning, but they fucked it up. Now we have something much worse: letsencrypt and this completely insecure http redirection snake-oil. With letsencrypt you now have to put extra work (can't keep track of all the individual subdomains either, wildcards are suddenly a security risk?!), and nobody bothers to quanitfy the amount of gained security. Instead of having to trust garbeam I now have to trust third persons (i can't even count them), because it's too much work for garbeam to just make a certificate that my browser will think is ok. That's why I wonder why you have put all this effort to begin with. Who are you trying to protect who isn't already gonna use the Ubuntu pgp-signed packages? The people who manage to write code and compile it and contribute back who already have the sshd public key trusted in their .ssh folder? For yourself you anyway lack of any meaningful all-encompassing security strategy. Cause secretly you know the risk is small, or many other, unrelated, but more important risks in life are bigger and demand for more of your attention. If you live in Europe you probably won't even be able to supply enough ammo for self-defense of your source-code.
