@tehjh difference between trusting distro and pipe-to-shell is that the former trusts every CA to get it right and not be evil
@damienmiller and the distro probably pulled half the packages over plaintext svn/git/http/...
-
-
@damienmiller e.g. pulseaudio at least sends announcement mails with unsigned hashes, but I can't find any way to verify an openjdk download -
@damienmiller ofc, a maintainer can just download the same code using different machines, then compare. probably more secure than HTTPS
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.