On Apr 7, 2017 4:41 PM, "Christian Rebischke" <Chris.Rebischke@archlinux.org>
wrote:

On Thu, Apr 06, 2017 at 06:27:08PM -0700, William Roberts wrote:
> Why not just checkout the release with git?

Because this wouldn't solve the problem or do you use signed commits in
your linux-audit git repository?


As long as you use a secure protocol and trust his repo signing the tags
doesn't give you all that much.

And even if you use signed commits I
really would appreciate if you would sign the tarball and provide a hash
for it on the release page. This would increase security a lot.


Yes agreed there, at least HTTPS connections are available.


cheers,
chris