> if an upstream does not sign the files, does not have https enabled, and/or refuses to take security and privacy seriously, sha512 must be used in the PKGBUILD files. Then 1) you could argue our using SHA512 is meaningless, but 2) it doesn't matter; we should still be doing the Right™ thing. -Chris Tonkinson
Attachment:
signature.asc
Description: OpenPGP digital signature
