On Apr 13, 2017 13:56, "Christian Rebischke" <Chris.Rebischke@archlinux.org> wrote:

On Thu, Apr 13, 2017 at 01:30:57PM -0700, William Roberts wrote:

> That's not true, he's providing you a detached signature via this
> mechanism. You just need to check the sha256sum before extraction.

The problem with providing only a SHA256 hash is that the hash was
provide via an insecure channel. I can't be sure that the hash is really
from him because he didn't even sign his mails. Someone could spoof his
mail or MITM in the webserver with the tarballs, etc etc..

Isn't the hash on the https people's page? Which last time I looked wasnt throwing cert errors in chrome.

The only secure way to ensure the original content of the tarball is via
signed tarballs signed by the developer.

Checksums and signed tarballs are totally two different things.