On Wed, Sep 13, 2017 at 11:42:05 +0300, Eli Zaretskii wrote:
> The full source is in the tarball, and the change was posted in advance.
> How can a Git branch increase the trust is beyond me.
>
> This certainly smells of NIH etc.

Also, the tarball was uploaded to ftp.gnu.org, and signed.  Uploading to
ftp.gnu.org itself requires the request to be signed with a GPG key
registered on Savannah.[0]  This level of security is greater and more
formal than repository commits/tags.

If someone's system were compromised to the point of being able to
successfully upload to ftp.gnu.org, chances are that they'll be able to
forge a commit to the repository as well.

[0]: https://www.gnu.org/prep/maintain/maintain.html#Distribution-on-ftp_002egnu_002eorg

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com