On 2/11/24 13:45, brian.inglis--- via tz wrote:
I was referring solely to the original IERS source files leap-seconds.{[0-9]{10,},list} and all we can do for now to validate them, using sha1 and eyeball.
If I understand this correctly, the worry is that an attacker would somehow convince us that a leap second would occur on (say) December 31, 2024 and talk us into installing a bogus leap-seconds.list file into the development repository, and that we'd then generate a new TZDB release. Such a release would contain a leap-seconds.list file that was signed by us, but incorrect. I'd place this low on the list of things to worry about. Although it'd be better if the IERS signed their files, we publicize leap second updates on the TZDB mailing list and it seems unlikely such an attack would go unnoticed and unremarked upon before a TZDB release.