| ▲ | viraptor 17 hours ago | |
> already trusted because it was downloaded over HTTPS from a trusted server (making PGP kind of redundant in some ways) That's mostly incorrect in both counts. One is that lots of mirrors are still http-only or http default https://launchpad.net/ubuntu/+archivemirrors The other is that if you get access to one of the mirrors and replace a package, it's the signature that stops you. Https is only relevant for mitm attacks. > they'd be more likely to start a migration away from PGP The discussions started ages ago: Debian https://wiki.debian.org/Teams/Apt/Spec/AptSign Fedora https://lists.fedoraproject.org/archives/list/packaging@list... | ||