On Wed, Jul 20, 2011 at 10:47:28AM +0100, Kai Hendry wrote:
> HTTPS I can _just_ about live with, but that's crappy too really.
> Anyone can get a HTTPS cert, so how can you test sanely that it indeed
> came from suckless when sucking it down with curl? Surly it's more of
> a DNS thang we need to rely on?
Why isn't PGP signing the answer here? You can continue to
serve from a simple, insecure connection, without having to
pretend that HTTPS' trust model is not broken, and can verify
the download perfectly.
wget http://dl.suckless.org/tools/dmenu-4.4.tar.gz
wget http://dl.suckless.org/tools/dmenu-4.4.tar.gz.sig
gpg --verify dmenu-0.4.tar.gz.sig
is not that tricky.
Received on Wed Jul 20 2011 - 11:54:19 CEST
This archive was generated by hypermail 2.2.0 : Wed Jul 20 2011 - 12:00:04 CEST