Re: Request for Sponsorship
On Sat, Jul 19, 2014 at 8:06 PM, Paul Wise <firstname.lastname@example.org> wrote:
> On Sun, Jul 20, 2014 at 10:26 AM, Vincent Cheng wrote:
>> Let me rephrase that. By all means, encourage your upstream to provide
>> signed tarballs; however, it's not a requirement per Policy to ensure
>> that upstream has signed their tarballs, nor is it a package RC-buggy
>> if it fails this _pedantic_ lintian tag (the vast majority of the
>> archive would be instantly RC-buggy if that were the case). So no, you
>> do not have to fix debian-watch-may-check-gpg-signature in your
>> package, and as a sponsor I'm perfectly willing to upload packages
>> where the source tarball isn't signed by upstream.
> ... and if upstream refuses to sign their tarballs then you should
> override the lintian warning with a link to the post/page where they
> said that.
...which would be nice to have, I agree, but it's not something I'd
enforce as a sponsor. In terms of Policy-speak, I'd downgrade that
"should" to a "could"; but definitely not a "must".