[Repo-criteria-discuss] File checksums and signatures

[stargrave]

Greetings!

Current ethical repository criteria list does not note anything related
to downloaded data integrity and authenticity check. In my opinion those
subject is closely related to security, and privacy is impossible
without security.

Is not it will be useful to recommend at least having SHA256/whatever
checksums or hashes on downloads page? It could be convenient not only
to the users (to be able to verify the file not only against the
web-page contents, but also against mailing list announcement letter
containing checksums too), but also for maintainers to compare contents
and identicalness of various download sources without actual data
retrieving.

Moreover should not criteria list encourage using and providing of
OpenPGP signatures for the either tarballs or checksum file? HTTPS is
useful, but it is aimed on protection from other threats, it dictates
trust to some company, as a rule. But in my opinion free software
developers communicate more not with companies and corporations, but
humans, other developers. In free software community the trust value is
spreaded between the people and that is why OpenPGP signature are more
valuable, trusted and reliable for authenticity checks.

-- 
Happy hacking, Sergey Matveev