[tz] Tonga returns to DST on 2016-11-06
eggert at cs.ucla.edu
Fri Nov 4 20:38:44 UTC 2016
On 11/04/2016 12:29 PM, Andreas Heigl wrote:
> It's a feature from git itself, not github.
> It is based on GPG-Keys so there's no central trusted instance which can
> be a benefit or a curse depending on how you look at it.
Except for 2016f (where I used a "wrong" key), I have been signing these
tags using the public key ED97E90E62AA7E34 registered at pgp.mit.edu.
I didn't know until today about GitHub's "Verified" UI that was
introduced in April. To help out with that, I just now uploaded the
public key to my GitHub account, so that GitHub now verifies release
tags at <https://github.com/eggert/tz/tags>.
You can also verify the tags using plain Git, assuming you have imported
the public key from pgp.mit.edu:
$ git tag -v 2016i
tagger Paul Eggert <eggert at cs.ucla.edu> 1478067592 -0700
gpg: Signature made Tue 01 Nov 2016 11:21:17 PM PDT using RSA key ID
gpg: Good signature from "Paul Eggert <eggert at cs.ucla.edu>"
Hmm, I now see that the signature timetamp is later than the release
timestamp (1478067592 = 2016-11-01 23:19:52 -0700, the time stamp
documented in the NEWS file). That is annoying. I wonder if this
discrepancy can be fixed in later releases?
More information about the tz