@CrankyLinuxUser @videolan @Scott_Helme @Sand_Pox @TheHackersNews @troyhunt @mikko @hackerfantastic @fs0c131y Just a point of clarity. HTTPS only gets you tamper resistance *in flight*. If someone manages to screw with packages on a mirror, you're hosed. GPG gives e2e resistance so long as the signing key is properly protected. VLCs approach is largely fine IMO