New distro and repo, why not use md5 and sig like Slackware
Without naming names, I thought that it would be good if all new distros and repositories for Linux software would require the use of md5 (or sha1) for all files and require signatures on those same files using a key. This is what Slackware does, and you can check that the signature is good and that the md5 matches so that it is less likely that the download was wrong or that you used a bad mirror site. Being able to check that the md5 is authentic is good and without a signature, a bad site can just post a bad md5.
With OSS it can be tedious to get every maintainer to post a signature and md5, but it should be required. Any thoughts?