rugk
commented
4 years ago See also https://github.com/lineageos4microg/l4m_website/issues/25 where the change was explained. But I agree, information is missing and maybe switching to PGP would indeed be better theoretically.
The website currently shows only very sparse information about how to verify build authenticity. There is currently no information found on 17.1 and the information regarding 15.1 and 16 is too limited for me to be able to successfully verify it and I consider myself relatively educated in terms of security. Why not make less assumptions about users who are actually going to use the system? If I am unable to successfully verify build authenticity, then I am pretty sure that average users will not even attempt to verify it. A project should not leave less technically-inclined users more vulnerable simply because they cannot perform the necessary verification. On a side note, why not use OpenPGP? This seems to me the more sensible process than running a Python script which itself cannot be verified. I know that OpenPGP has serious usability issues but compared to the "script way" it seems much easier for the average user given proper instructions.