[justinsb]

I'm not sure what PGP would buy us over everything going over https from sites under Meteor's control? Cryptographic verification is great when you want to deliver the bulk of the content over http, or via untrusted mirrors, but we're not doing that.

However, if you want greater assurance, Meteor is open source, and easy to run from a git checkout. That seems to solve even more problems than PGP would, though then you should worry about whether you should compile nodejs yourself, and eventually you start eyeing your CPU suspiciously... :-)

(BTW, I think this is why just linking to a HN thread is tricky... it's difficult to know which of the many viewpoints on any thread you share!)

[FooBarWidget]

It buys you almost nothing. The only thing it buys you is avoidance of knee-jerk reactions from certain people, who most likely never were interested in Meteor in the first place.

[sarciszewski]

Instead of taking the troll bait here, I'll just link to this excellent blog post by Anthony Ferrara that sums up my position well.

http://blog.ircmaxell.com/2014/10/fud-and-flames-and-trolls-...

> Those That Have Passion

[sarciszewski]

> I'm not sure what PGP would buy us over everything going over https from sites under Meteor's control?

Rogue CA certificates, targeted MITM -> RCE attacks (Nation State Adversaries, etc.)

By using PGP (or, hell, openssl) to sign the package with a key that remains offline/air-gapped and then writing installer instructions that verify the signature before running anything, you reduce the odds of this happening significantly.

Additionally, it allows you to mirror the contents on CDNs with some peace of mind.

[sciurus]

PGP would get you a lot. See this discussion for why https "only helps in a small way and is not enough to provide users with a reasonable level of trust that it's safe to use your software."

https://github.com/wayneeseguin/rvm/issues/3105#issuecomment...