But the checksums are pgp signed (inline pgp signature inside the sha256 ckecksum file), so as long as the user has the pubkey used for this signature and uses it to verify the checksums, everything is fine. The pubkey long fingerprint is noted on the main iso download page, not on the mirrors pages.
But the PGP signatures, to be secure, need a web of trust. A separate and trusted method to download and verify the keys themselves, and this we don't have.
Probably a certified page with all keys used by the project for signing downloads and builds.
Certified by who? Some commercial CA?
Does https://letsencrypt.org/ apply?
LE is backed by a commercial CA (unless some root CA decides to back LE, which is very unlikely since their whole business model depends on paying customers). -- Aleksa Sarai Docker Core Specialist SUSE Australia https://www.cyphar.com/ -- To unsubscribe, e-mail: firstname.lastname@example.org To contact the owner, email: email@example.com