> However, gpg signing release tag commits is dead simple and would > take a total of maybe 10 minutes of work over the lifetime of the project > (please correct me if I'm wrong). I second this statement. GPG signing sounds good to me. We should do this. > I know that https can be a bit tedious to setup so I am not asking for it > (though I do think it would be great if it was enabled on the site in some > fashion). HTTPS is not so tedious these days with Let's Encrypt. https://letsencrypt.org/ We should set up HTTPS as well.