I've been catching up on this thread a bit and I'm under the impression that there meybe a mix-up on authentication needs when making packages available. First there the maintainer of the PackMan database needs to be assured that the source can be trusted. As there can be many sources, this is a hard problem and ultimately would require a full-blown PKI. Now I can hardly imagine anyone would like to set-up a PKI just for fun. PGP probably is the way to go here. Then there is the end-user who has to be convinced s/he can trust the PackMan database and the packages obtained through it. The discussion on MD5/SHA-1 and SSL seem to cover that fine. Bottom line is I would not try to implement a single mechanism and use it for both situations. Just my 10c. --eric
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4