On 11/04/2016 12:03 PM, Paul G wrote:
One thing I notice about the github release tags is that they don't include the signature on the tarball. If the tarballs can be reproducibly created on the github repository, I imagine it would go a long way to say that the "official" distribution is the one that has been signed.
The tarballs are reproducible, albeit with developer tools (e.g., one needs a 'tar' that is compatible with GNU Tar). I could email signatures (.asc files) to tz@iana.org as soon as soon as I generate the them, and this would let hurried but paranoid developers retrieve tagged commits and generate and verify the tarballs themselves, as long as they have the proper tools. This all sounds complicated, though. The developers of Oracle's TZUpdater tool apparently found the .asc files to be too much of a hassle, and instead use SHA-512 checksums from a central server instead. Should we slap more gingerbread atop a signature-checking procedure that already may be a bridge too far?