I'd like to see several improvements to the code verification for MariaDB. Porters should always have a way to validate that the tarball they've downloaded has not been tampered with.
- Only PGP signed MD5 hashes available for downloadable tarballs. Please update the hashes to SHA256 and provide signatures for these as well.
- Documentation on how to verify your downloaded tarball seems to be missing
- PGP code signing key not published on the website (yet on https://yum.mariadb.org)