Come on guys this is a really obvious security flaw. I get the heebie-jeebies installing packages when living in an oppressive country. I understand how package signing works, but this doesn't give me any reassurance at all because it's only a SINGLE LAYER of security. I have no idea what kind of protection mechanisms there are on the signing key, and whether anyone's being bribed/hacked to give them up.
Multiple layers of security are standard practice.
Additionally, as far as adding privacy via https, yes it's possible to deduce which packages but https significantly increases the work involved in doing so, thus it's still worth it.
Come on guys this is a really obvious security flaw. I get the heebie-jeebies installing packages when living in an oppressive country. I understand how package signing works, but this doesn't give me any reassurance at all because it's only a SINGLE LAYER of security. I have no idea what kind of protection mechanisms there are on the signing key, and whether anyone's being bribed/hacked to give them up.
Multiple layers of security are standard practice.
Additionally, as far as adding privacy via https, yes it's possible to deduce which packages but https significantly increases the work involved in doing so, thus it's still worth it.