No https/ftps downloads, no pgp/gpg key

  • Chris and the gang have always had a healthy sense of paranoia (for instance, repeatedly insisting not to use a VM for production), but in the wake of the NSA BS as well as the ever increasing number of attacks, I'm curious why, for something this important security-wise, there isn't additional verification beyond MD5 and SHA256 (and even then, they're also only on the mirrors).  For those of us more paranoid (and also to guard against over-zealous stream compressors such as found on satellite and cellular connections), it seems it may be a good idea to use TLS to download rather than a naked stream, and then a PGP/GPG verification when finished.

    Do you guys think I'm being TOO paranoid, or is this too hard, or what?  I tried a few search terms on the forum, including GPG and PGP, and came up empty, so it would seem no one has though of this before–very surprising to me.  What do you all think?


Log in to reply