Hello,

today I've taken a look at a daily image for grml.org
and found no way to verify that the image I'm downloading actually is
from your build machines.

http://grml.org/daily/
leads me to something like
http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/

where there are no OpenPGP signatures available.
and the https variant or the url does not show the files.

This is a problem because a downloader like can be attacked by serving a
different iso file and the corresponding checksums. To prevent this attack
you could
a) also use https on the daily.grml.org server
b) Use a new OpenPGP build-key without password, publish the pubkey on the
https mainsite and use the key in the automatic building process to generate
the detached signatures.

Best Regards,
Bernhard
ps.: if you have a flattr account, I would have flattred you. :) Thanks for
grml.