[tz] Tonga returns to DST on 2016-11-06

Paul Eggert eggert at cs.ucla.edu
Fri Nov 4 19:27:49 UTC 2016

On 11/04/2016 12:03 PM, Paul G wrote:
> One thing I notice about the github release tags is that they don't 
> include the signature on the tarball. If the tarballs can be 
> reproducibly created on the github repository, I imagine it would go a 
> long way to say that the "official" distribution is the one that has 
> been signed.

The tarballs are reproducible, albeit with developer tools (e.g., one 
needs a 'tar' that is compatible with GNU Tar). I could email signatures 
(.asc files) to tz at iana.org as soon as soon as I generate the them, and 
this would let hurried but paranoid developers retrieve tagged commits 
and generate and verify the tarballs themselves, as long as they have 
the proper tools.

This all sounds complicated, though. The developers of Oracle's 
TZUpdater tool apparently found the .asc files to be too much of a 
hassle, and instead use SHA-512 checksums from a central server instead. 
Should we slap more gingerbread atop a signature-checking procedure that 
already may be a bridge too far?

More information about the tz mailing list