I have continually been perplexed by the (apparent) lack of ways to retrieve the code for org-mode in a secure fashion, but always thought that I just haven't tried hard enough. Today it dawned on me that there probably simply is no such way.

I know that https can be a bit tedious to setup so I am not asking for it (though I do think it would be great if it was enabled on the site in some fashion). However, gpg signing release tag commits is dead simple and would take a total of maybe 10 minutes of work over the lifetime of the project (please correct me if I'm wrong). Given this, is there a reason this is not being done?

And if there is no reason, would it be possible to begin doing it, going forward?

Thanks in advance for the consideration,

Kosta