On Wed, May 14, 2014 at 17:55, Marc Espie wrote: > There's no point in providing SHA256.sig for packages. For one thing, it > goes out of synch rather easily. For another thing, it's redundant with > the package signatures themselves. THAT SHA256 file exists only to make it > easier to check that a transfer went out okay. It's not there to protect > against any kind of malice...
I'm inclined to say that if something looks like it could be used to protect against malice, we should sign it. Or not provide it. Providing a mix of signed and unsigned SHA256 files would be a dangerous inconsistency in my mind.
