30 Jan
2013
30 Jan
'13
2:47 p.m.
As long as we upload packages via plain HTTP, signing won't help though.
I don't think that's true? If the package is tampered with, then the signature will be invalid; if the signature is also forged, then the private key is compromised and we can blacklist it. We care only about integrity, not secrecy. Edward