On 02/18/2016 07:12 AM, Martin Burnicki wrote:
after download you still can't be sure the file has not been modified. The included SHA1 hash can be generated by anyone
I wouldn't worry about this. We generate our own checksums for the entire tzdata distribution including the leap-seconds file, and sign them. The main problem here is legal, not technical. I agree with Tony that the EUPL is not suitable for the tz project. It's a pain to use the EUPL even with GPLed code (e.g., GNU/Linux), much less BSD (e.g., FreeBSD). We need something more like public-domain or 3-clause BSD, both of which we already use. Public domain is preferable because it's simpler. CC0 would also be OK, I expect. If this turns into a legal hassle for the IERS, as I suspect it will, then it's not worth their trouble. We'll just keep doing what we have been doing, or something like it.