diff --git a/howto/gitlab.md b/howto/gitlab.md
index 048196b4c2660efe2e142c6878bf5b42b72ff427..fa7c5bef258dd21c9ad85928096bd57f2e2ed44f 100644
--- a/howto/gitlab.md
+++ b/howto/gitlab.md
@@ -1230,6 +1230,12 @@ holds the public keys:
 It's unclear, however, why the latter spec wasn't reused. To be
 investigated.
 
+Update, 2022-04-20: someone actually went through the trouble of
+[auditing the transparency log](https://tlog.linderud.dev/), which is an interesting exercise
+in itself. The [verifier source code](https://github.com/Foxboron/kernel.org-git-verifier) is available, but probably
+too specific to Linux for our use case. [Their notes are also
+interesting](https://linderud.dev/blog/monitoring-the-kernel.org-transparency-log-for-a-year/).
+
 ### Ryabitsev: Secure Scuttlebutt
 
 A more exotic proposal is to [use the Secure Scuttlebutt (SSB)