lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

How would you know what the public key is? If you were to get it from
the website, then isn't trusting that equivalent to trusting the

One thing I do think would be a good idea, though, is to publish a
non-broken hash (e.g., sha256) instead of just md5 and sha1, both of
which are broken.

Joseph C. Sible

On Fri, Jan 28, 2022 at 9:34 PM Anonymous <> wrote:
> You only publish release checksums. The resulting scheme is weak: I need
> to trust HTTPS which is security theatre given how vulnerable CAs are.
> Please consider publishing cryptographic signatures of some kind
> (gpg/signify/whetever).