[tz] Tonga returns to DST on 2016-11-06

Paul G paul at ganssle.io
Fri Nov 4 19:03:42 UTC 2016


One thing I notice about the github release tags is that they don't include the signature on the tarball. If the tarballs can be reproducibly created on the github repository, I imagine it would go a long way to say that the "official" distribution is the one that has been signed.

Assuming that the key it's signed with is trusted, then any number of mirrors could be considered "official" sources, since it is trivial to verify that the data has not been changed. If people feel comfortable treating the IANA as the trusted agency for distribution, they could host the (static, unchanging) public key somewhere.

There is a way to sign tags directly, but I'm not sure that there's a way to actually verify the signature without cloning the git repository. It might be worth looking into some sort of script or hook that automatically generates signed tarballs for distribution when the repository is tagged.


On November 4, 2016 2:31:42 PM EDT, Paul Eggert <eggert at cs.ucla.edu> wrote:
>On 11/04/2016 11:06 AM, Paul G wrote:
>> I think Paul meant that the "official" release would be the act of 
>> tagging the repo with the new version, not any random change.
>
>Yes, that's the intent. I installed the attached proposed patch to try 
>to clarify this. Most of the changes are to tz-link.htm not Theory, 
>since tz-link.htm talks about the distribution procedure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/tz/attachments/20161104/3a8dbd61/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 850 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/tz/attachments/20161104/3a8dbd61/attachment.sig>


More information about the tz mailing list