> (3) Sign official releases using the PGDG private key, and provide the
> signatures on www.postgresql.org along with the packages themselves.
Sounds about right. I'd go as far as to sign release announcements and
security emails as well.
--
Rod Taylor <rbt(at)rbt(dot)ca>
PGP Key: http://www.rbt.ca/rbtpub.asc