Tell HN: Linux Mint still serves their hash sums from http not https
You can verify your ISO from downloads page[0] by choosing your version, but when you want to verify the checksum, you are asked to visit a domain http://mint-mirror.gwendallebihan.net to download a file of the hash (and/or gpg key) that is served over plain http[1].
[0]: https://linuxmint.com/verify.php
[1]: http://mint-mirror.gwendallebihan.net/isos/stable/18.1/sha256sum.txt
11 comments
[ 3.2 ms ] story [ 34.3 ms ] thread[0]: https://news.ycombinator.com/item?id=11149839
If I had to chose between https and pgp, I would pick pgp. The OpenBSD project has a similar scheme (called signify).