Hello,
I'm trying to set up package autobuild using an continuous integration system. I don't want the hassle of checking GPG signatures. Setting up software in context of a hosted CI service is not easy and sometimes even impossible or not allowed.
Best way would be to be able to access the md5sum files using some "secure" connection.
For example, Arch Linux itself has this:
https://www.archlinux.org/iso/latest/sha1sums.txt
Fast, easy, secure and simple way of getting a "trustworthy" checksum to compare files downloaded from mirrors to.
This could also help when installing manually. You could link the proper md5sum file with each installation instructions so people can check their downloads manually.
Does something like this exist for archlinux ARM and if not: Could you symlink them to some place on your webserver so they can be downloaded via encrypted HTTPS?
Edit: You actually link the MD5 files here:
https://archlinuxarm.org/about/downloads
Fiddling with the URL brings me to this: https://archlinuxarm.org/os/ArchLinuxAR ... tar.gz.md5
And this link downgrades to HTTP... Useless this way. If a mirror is compromised, then the "hacker" would replace the md5 files, too. Having them on the trustworthy source would really help here.