Joseph Parmelee <jparmele@xxxxxxxxxxxx> writes: > Under the present circumstances, and particularly considering the > sensitivity of the git code itself, I would suggest that you implement > signed detached digital signatures on all release tarballs. Well, signed tags are essentially detached signatures. People can verify tarballs against them if they wanted to, although it is a bit cumbersome. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html