The problem I outline is not about a physical to digital link. It is essentially about decentralization and using a tamper proof append-only log to store key events and signatures.
Storing commits on GitHub is neither of those things; data is owned by a single company in the US, and previously published logs can be deleted to recreate a false history.
> previously published logs can be deleted to recreate a false history.
No it can't, that's the point of git. In git parlance that would be a rebase, which is instantly and unavoidably obvious, and people just wouldn't take anyone's rebases.
And how do you plan to host and distribute that? If not GitHub, maybe your own site, but neither is tamper proof or verifiably secure. In both cases the repo owner can delete commits and rewrite history, and viewers would not know. There needs to be some way to come to consensus about which SHA-1 head is valid. In a website, it is just whatever the website tells you is the correct chain. For it to be verifiably tamper proof you would need a consensus mechanism, which would spawn a blockchain.
