Jeffrey Walton wrote: > You should probably mention ... signing tarballs.
GNU tarballs, distributed on ftp.gnu.org, are signed with an OpenPGP or LibrePGP key, yes. But since Gnulib is normally not downloaded from there, but from its git repo, tarball signing is not relevant here. > If you rely on https: to deliver authentic [non-tampered] code, then > that is called a "trusted distribution channel." Both Gnulib's repo (https://git.savannah.gnu.org/git/gnulib.git) and many of the mentioned source code libraries use https transport. So, that's not a distinguishing feature of Gnulib. Then, why mention it? Bruno
