Re: Questioning debian/upstream/signing-key.asc

[Paul Wise <pabs@debian.org>]

On Fri, Mar 26, 2021 at 9:15 PM Timo Röhling wrote:

> It's the same for me: the only package I maintain where upstream signs their
> releases is the package where I am also the author. And I really don't think
> that it provides any additional value for Debian in this particular
> constellation; I just keep doing it in case some other distribution
> wants to rely on the signature as integrity check.

The stored keys have value in the potential future scenario where you
remain the upstream release manager but move package maintenance to a
team or hand off maintenance to someone you are mentoring or someone
else. Or even when you do a new upstream release but forget to upload,
and someone else NMUs it for you.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise