Hacker News new | comments | show | ask | jobs | submit login

The signatures and binaries are not served over HTTPS. It would be prudent to compare them to other sources.



Just for reference, SHA1s posted from an independent source yesterday: https://news.ycombinator.com/item?id=7816109


Actually it would be good if the webmaster behind this reboot got SSL set up. Especially if this is going to be the new most authoritative download source.


SSL is better than no SSL, but for better assurance they should offline sign the downloads.


That would be prudent regardless. If you trust HTTPS, why verify the PGP signatures? And if you don't, verifying the PGP signatures does not get you anything if you have no reason to trust the key.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: