[tz] Tonga returns to DST on 2016-11-06
Paul Eggert
eggert at cs.ucla.edu
Fri Nov 4 19:27:49 UTC 2016
On 11/04/2016 12:03 PM, Paul G wrote:
> One thing I notice about the github release tags is that they don't
> include the signature on the tarball. If the tarballs can be
> reproducibly created on the github repository, I imagine it would go a
> long way to say that the "official" distribution is the one that has
> been signed.
The tarballs are reproducible, albeit with developer tools (e.g., one
needs a 'tar' that is compatible with GNU Tar). I could email signatures
(.asc files) to tz at iana.org as soon as soon as I generate the them, and
this would let hurried but paranoid developers retrieve tagged commits
and generate and verify the tarballs themselves, as long as they have
the proper tools.
This all sounds complicated, though. The developers of Oracle's
TZUpdater tool apparently found the .asc files to be too much of a
hassle, and instead use SHA-512 checksums from a central server instead.
Should we slap more gingerbread atop a signature-checking procedure that
already may be a bridge too far?
More information about the tz
mailing list