On Wed, 23 Aug 2017 22:03:41 +0200
Markus Teich <markus.teich_AT_stusta.mhn.de> wrote:
> Hiltjo Posthuma wrote:
> > Checksums are available in each project directory, yesterday I've added
> > SHA256 checksums.
> >
> > For example:
> > SHA256: http://dl.suckless.org/dwm/sha256sums.txt
> > SHA1: http://dl.suckless.org/dwm/sha1sums.txt
> > MD5: http://dl.suckless.org/dwm/md5sums.txt
> >
> > HTTPs will be coming in a few weeks when some things are sorted. Maybe in the
> > future we can add also add PGP signed releases.
>
> Heyho,
>
> I don't see the benefit of checksums without signatures. We already kind of have
> transmission integrity by IP for release downloads or by git. We really need
> https, but PGP is probably controversial enough to be discussed. Maybe we have
> some time for that at the hackathon, but that would exclude people who cannot
> attend.
>
> Thus, start flaming your highly valued opinions about PGP-signing releases to
> the list nao! ;P
>
> --Markus
>
If the server's authenticity can be proven with HTTPS,
what additional secure does PGP-signatures provide?
Received on Wed Aug 23 2017 - 22:11:33 CEST