wsc1
commented
6 years ago sounds good and necessary.
However, I have never set that up or used it. No binary release mechanism has been discussed and no related infrastructure put in place. Probably we should wait on binaries at least.
We are thinking about how to manage zc keys.
Two project I follow have been owned recently, by having their releases updated without any notice (ref: [1] and [2]). Note, releases do not have "git history", only date added, so it's very difficult to track who did it and what changed.
The proposal is to cryptographically sign releases, both source and binary (if binary releases are provided) using a zc key.