Hello gnu :) On https://gcc.gnu.org/mirrors.html it says "The archives there will be signed by one of the following GnuPG keys", but most mirror ftp servers do not provide any signatures to use those keys with.
It seems that some mirros provide the signatures (like https://mirror.csclub.uwaterloo.ca/gnu/gcc/gcc-8.2.0/) and many others do not (ftp://ftp.gwdg.de/pub/misc/gcc/releases/gcc-8.2.0/). why? Should the mirrors not at least host the .sig files, considering that most mirrors are http (not TLS/SSL) and the downloads can be MITM tampered? best wishes alex
