Hello,
today I've taken a look at a daily image for grml.org and found no way to verify that the image I'm downloading actually is from your build machines.
http://grml.org/daily/ leads me to something like http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/
where there are no OpenPGP signatures available. and the https variant or the url does not show the files.
This is a problem because a downloader like can be attacked by serving a different iso file and the corresponding checksums. To prevent this attack you could a) also use https on the daily.grml.org server b) Use a new OpenPGP build-key without password, publish the pubkey on the https mainsite and use the key in the automatic building process to generate the detached signatures.
Best Regards, Bernhard ps.: if you have a flattr account, I would have flattred you. :) Thanks for grml.