Ludovic Courtès <[email protected]> writes: > Right, we should improve the doc. Most of the time, that means checking > the signature on the release tag.
Several of the packages does not use a released version for various reasons and thus don't have a signature in the release. And some does not have a signature in the release. I see the various forges has a way to download the repositories as a compressed archive, but I'm not sure if this actually improves the situation as it's basically the same as a checkout and we don't know if it's the same as the author intended. But I guess this point is a best-effort tip? When there is no release with a supplied hash, I have no way of knowing and have to trust that the repository is not tainted at the time I add the hash to the package.
signature.asc
Description: PGP signature
