Yo!

Currently packaging up b4 for Arch Linux and encountered a slight issue with the
release tarballs for the project.

The siganture says it needs to be compared against the tarball of the project,
however the kernel.org and googlesource.com only allows one to download the
gzipped tarball. To recreat the release artifact one would need to clone and
create the archive to have anything to compare against.

This doesn't work that well since we preferably include the sources
declaratively and not work out a tarball from the source checkout during
packaging. This also has the effect of most distros packaging the release
straight from pypi or from git with no release authentication.

Could the gzipped release tarballs be signed instead? Another alternative would
be to sign the release tags of b4.

-- 
Morten Linderud
PGP: 9C02FF419FECBE16