Assistant: Removing signature from Torrent
By shipping a signature file directly in the Torrent, aren’t people downloading it more subject to possible downgrade attacks? In case a fake Torrent seeds an old ISO and an old signature file.
Shall we instead include in the Torrent a README and point to the ISO verification instructions on our website (HTTPS)?
Related issues
- Related to #9043 (closed)
- Related to #11019 (closed)
- Related to #11127 (closed)
Original created by @sajolida on 8832 (Redmine)