> ¹ I'm aware that APT actually uses GPG, but it does (did) so fishy manipulations both before and after invoking GPG on the signed files, that, if this would've happened in a corporate setting, I'd have rather peculiar questions for the employee who wrote that code.
From the openSUSE, I brought up my concerns about us not using HTTPS and it boils down to the fact that few mirrors want to host stuff over SSL. And if not many mirrors will do it, the benefit to users is diminished (you can't force the usage of SSL on the client).
On the plus side, openSUSE does serve a copy of the GPG signing key for the ISO over HTTPS (from the main site). I just wish that there were less steps required to be sure that the ISO is official.
From the openSUSE, I brought up my concerns about us not using HTTPS and it boils down to the fact that few mirrors want to host stuff over SSL. And if not many mirrors will do it, the benefit to users is diminished (you can't force the usage of SSL on the client).
On the plus side, openSUSE does serve a copy of the GPG signing key for the ISO over HTTPS (from the main site). I just wish that there were less steps required to be sure that the ISO is official.