These should still be signed, even though a truly trusted key can't be used as there's no human involved in the process. With TLS alone, there's trust that every CA able to issue org certificates is not malicious/incompetent. It would be nice to have another way of verifying the authenticity of a snapshot, as we can with the release tarballs themselves.
These should still be signed, even though a truly trusted key can't be used as there's no human involved in the process. With TLS alone, there's trust that every CA able to issue
orgcertificates is not malicious/incompetent. It would be nice to have another way of verifying the authenticity of a snapshot, as we can with the release tarballs themselves.