Re: [dev] dmenu-4.4

From: Nick <>
Date: Wed, 20 Jul 2011 10:54:19 +0100

On Wed, Jul 20, 2011 at 10:47:28AM +0100, Kai Hendry wrote:
> HTTPS I can _just_ about live with, but that's crappy too really.
> Anyone can get a HTTPS cert, so how can you test sanely that it indeed
> came from suckless when sucking it down with curl? Surly it's more of
> a DNS thang we need to rely on?

Why isn't PGP signing the answer here? You can continue to
serve from a simple, insecure connection, without having to
pretend that HTTPS' trust model is not broken, and can verify
the download perfectly.

 gpg --verify dmenu-0.4.tar.gz.sig

is not that tricky.
Received on Wed Jul 20 2011 - 11:54:19 CEST

This archive was generated by hypermail 2.2.0 : Wed Jul 20 2011 - 12:00:04 CEST