Mattias Andrée wrote: > * An alternative to signature files is to sign the tags in Git, and those > that care enough could pull releases from git instead.
That is a nice idea. It doesn't require any extra signature/checksum file cruft on the webserver. It can easily be made optional and is in the maintainers hands if he wants to provide the signatures or not (with his own key). --Markus
