release: Release tarballs? How to sign releases?

[real-or-random]

Some things that popped up during the 0.2.0 release:

• Which tarball should we us as official release in the future?
  • github or
  • locally run git archive
  • make dist (diff should be just ci, and dotfiles)?
• Sign the tarball and add the sigs to the release?

Some considerations:

• github tarball is simply and easy to refer to by tag. Tarballs and links are created automatically
• git archive may be nice because it can be recreated locally. But then, if we want all maintainers to sign the tarball, we need to make sure it's deterministic.
• make dist does not seem to be a good choice. It's a bit silly to not include files like .gitignore and .cirrus.yml. I mean this is for devs of the library, you would want to have these files. And this method depends on the build system and we want to support more than one build system in the future. (And this would raise questions like "should the autotools tarball include cmake files?" in the future.)