31 Jan
2013
31 Jan
'13
3:47 a.m.
As long as we upload packages via plain HTTP, signing won't help though.
I don't think that's true? If the package is tampered with, then the signature will be invalid; if the signature is also forged, then the private key is compromised and we can blacklist it. We care only about integrity, not secrecy. Edward