Signed commits could solve this in a more decentralized way if people post their public keys on their own domains.
Own domains is the real deal. My preffered model is tarball releases with checksums, or better yet, with signatures (like remind[0] or msmtp[1]). Such pages are trivial to host properly and loads quickly.
[0]: https://dianne.skoll.ca/projects/remind/
[1]: https://marlam.de/msmtp/download/
alt Hacker News
Own domains is the real deal. My preffered model is tarball releases with checksums, or better yet, with signatures (like remind[0] or msmtp[1]). Such pages are trivial to host properly and loads quickly.
[0]: https://dianne.skoll.ca/projects/remind/
[1]: https://marlam.de/msmtp/download/