<html><head></head><body>One thing I notice about the github release tags is that they don't include the signature on the tarball. If the tarballs can be reproducibly created on the github repository, I imagine it would go a long way to say that the "official" distribution is the one that has been signed.<br>
<br>
Assuming that the key it's signed with is trusted, then any number of mirrors could be considered "official" sources, since it is trivial to verify that the data has not been changed. If people feel comfortable treating the IANA as the trusted agency for distribution, they could host the (static, unchanging) public key somewhere.<br>
<br>
There is a way to sign tags directly, but I'm not sure that there's a way to actually verify the signature without cloning the git repository. It might be worth looking into some sort of script or hook that automatically generates signed tarballs for distribution when the repository is tagged.<br>
<br><br><div class="gmail_quote">On November 4, 2016 2:31:42 PM EDT, Paul Eggert <eggert@cs.ucla.edu> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">On 11/04/2016 11:06 AM, Paul G wrote:<br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> I think Paul meant that the "official" release would be the act of <br /> tagging the repo with the new version, not any random change.<br /></blockquote><br />Yes, that's the intent. I installed the attached proposed patch to try <br />to clarify this. Most of the changes are to tz-link.htm not Theory, <br />since tz-link.htm talks about the distribution procedure.<br /><br /></pre></blockquote></div></body></html>