Please sign release tarballs and/or release tags

[ottok]

While packaging a new version of RocksDB for Debian (https://salsa.debian.org/debian/rocksdb), I noticed that there are no *.asc signatures published at https://github.com/facebook/rocksdb/releases nor does the git tags in this project have signatures.

For better supply chain security, please consider signing both tags and release artifacts. Thanks!

[ottok]

Also, related to needs in Debian, why are you making so frequent releases? Can you add a tag to some release that is considered more than average "stable" so downstreams know which version to distribute, instead of taking a random version from October, November or December.

[ottok]

Any comments on this one?