On 10 Aug 2015 16:05, Matthias Maier wrote:
> > Users can fetch/pull from Github.
> 
> We could also provide automatic signed tags every 30min/1h/2h/whatever
> (signed with a suitable infrastructure key). With that, the integrity of
> a tagged git checkout can be easily verified on client side.

it would have to re-use the same tag name every time otherwise we end up with 
17.5k/8.7k/4.3k/whatever new tags per year ... a really bad idea

depending on how fast the process is, it could just be part of the receive hook
on the server that does the checking now.  that way the tag is always up to date
with every push a developer makes.
-mike