as i looked at webrsync, it seems it just pulls deltas which have no gpg signatures and happily installs them. so verifiying the snapshots is useless. deltas should be disabled with webrsync-gpg useflag or get gnupg sigs as well. Reproducible: Always
(In reply to Luca Schuhmacher from comment #0) > as i looked at webrsync, it seems it just pulls deltas which have no gpg > signatures and happily installs them. so verifiying the snapshots is useless. It reconstructs the snapshot from the deltas, and then verifies the signature on the snapshot. It's just as good and downloading the whole snapshot and then verifying that.