But how can I verify that the key with which to sign comes from a real OpenSSH developer? For the SSH connection, how do I verify the server? It is mostly paranoia, because I am sure no hacker would choose such a convoluted way when there are many more easier alternatives to compromise a certain computer. But I thought that the people developing security software would distribute their software almost completely securely. On Oct 12, 2014, at 23:02, Mark Hahn <hahn@xxxxxxxxxxx> wrote: >> insecurely and not encrypted. Is there any future plan to distribute >> OpenSSH over secured channel, such as https? > > why? the sources are signed. also, anoncvs is over ssh. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev