@tehjh difference between trusting distro and pipe-to-shell is that the former trusts every CA to get it right and not be evil
-
-
Replying to @damienmiller
@damienmiller and the distro probably pulled half the packages over plaintext svn/git/http/...1 reply 0 retweets 0 likes -
Replying to @tehjh
@damienmiller e.g. pulseaudio at least sends announcement mails with unsigned hashes, but I can't find any way to verify an openjdk download1 reply 0 retweets 0 likes
@damienmiller ofc, a maintainer can just download the same code using different machines, then compare. probably more secure than HTTPS
8:30 PM - 18 Sep 2015
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.