As someone who's a bit paranoid about security, I'd like to know if my understanding how eopkg ensures integrity of its downloads is correct:
First, all package files are downloaded over https. Each package.yml seems to contain an URL from where to download the actual program, together with the corresponding sha256 hash. To ensure the integrity of the packages, the eopkg-index.xml seems to contain a sha1 hash of each package that can be (and hopefully is) compared with the actual hash of a package. Is this correct so far?
What I don't understand is how the integrity of the index itself is verified. There is a file eopkg-index.xml.sha1 which contains the sha1 hash of the index, but without a signature for that file, this isn't a protection against manipulation (if an attacker gained access to the mirror, he/she could change both the index and the stored sha1 hash of the index).
Thanks in advance :-)