How are things going regarding signing of packages to prevent man-in-the-middle attacks? Looking forward to give arch a closer try, but this is still a big showstopper because I would like to sync while I'm on e.g. an open airport network without the man-in-the-middle security hole.