Mike Gerwitz <m...@gnu.org> skribis: > On Thu, Jun 22, 2017 at 21:12:27 +0200, Ludovic Courtès wrote: >> I think only GNU and kernel.org provide signatures, which represents 6% >> of our packages. Of the 30% that do not have an updater, surely some >> have digital signatures, but we’re probably still below 10%. The >> situation is bad in general… > > What about signed tags/commits?
They’re becoming more widespread, especially now that GitHub’s UI can make sense of them. Nevertheless, I don’t think it changes the ratio much if we look at the whole package set that we have. Ludo’.
