[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Request for Sponsorship

On Sat, Jul 19, 2014 at 7:14 PM, Paul Wise <pabs@debian.org> wrote:
> On Sun, Jul 20, 2014 at 5:55 AM, Vincent Cheng wrote:
>
>> Feel free to ignore that tag if upstream doesn't sign their release
>> tarballs. It's by no means mandatory, just nice to have (hence
>> "pedantic").
>
> In a world where we have an active worldwide network adversary (and
> probably more than one), I would say signing and verifying release
> tarballs and VCS commits is more important than 'pedantic' :)

Let me rephrase that. By all means, encourage your upstream to provide
signed tarballs; however, it's not a requirement per Policy to ensure
that upstream has signed their tarballs, nor is it a package RC-buggy
if it fails this _pedantic_ lintian tag (the vast majority of the
archive would be instantly RC-buggy if that were the case). So no, you
do not have to fix debian-watch-may-check-gpg-signature in your
package, and as a sponsor I'm perfectly willing to upload packages
where the source tarball isn't signed by upstream.

Regards,
Vincent
Reply to: