Follow-up Comment #3, sr #109567 (project administration):
> To enforce security, it would make sense to fetch the .sig file from the
main site and only the non-signature files from the mirror.
This doesn't matter: if the signature made with a valid key verifies, the file
is authentic (within certain assumptions); else it may not be.
> It requires that users check the signatures.
...
> we all know that there are fake identities floating around...checking more
than the usual 8 digits of a key id.
Quite right, the users should make sure that they use the right public keys;
but there is no other real way to protect from MITM.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/support/?109567>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
