On Sat, 2015-11-21 at 20:09 +0100, Simon Ruderich wrote:
> Btw. it would be really nice if we could get signed releases
> (signed git tag and signature files for the tarballs). Having to
> download untrusted code and just running it is something I'd like
> to avoid. Especially useful for distributions which provide those
> sources to many users.

I totally agree with Simon here. It's not much of a hassle to do that;
in fact, even signed commits are nice and very easy with git, just use
git commit -S + the commit.signingkey option:

git config --global user.signingkey <key>

Best 
Christian