Hi all, In devscripts 2.13.3, uscan gained the ability to verify signature of the upstream tarball using a file debian/upstream-signing-key.pgp. In 2.14.0, I added the ability to use armored keys and decided to move the files under debian/upstream/, an idea which had been suggested by a few people. This introduced a conflict with DEP-12 (c.f., #736760), which uses debian/upstream to track metadata about the upstream project. Tools like umegaya[0] and Debian Med's task list[1] use the information provided in this file. [0]: http://upstream-metadata.debian.net/ [1]: http://blends.debian.org/med/tasks/ Part of the reason I chose to use debian/upstream/ is that an extensible location for upstream related information (similar in spirit to debian/source/) could be useful. I also was unaware of (or had forgotten about) DEP-12's existing use of debian/upstream, which was appropriated around 01/2012 as the new name for debian/upstream-metadata.yaml. This leads to the question of how to move forward from here? Transitioning to debian/upstream/ would require: - Choosing a new name for DEP-12's file and updating the wording in DEP-12. My suggestion would be debian/upstream/metadata. - Updating the data collection code for umegaya and Debian Blends, the latter of which has an initial patch[2] based on my suggestion in 1). - Renaming the file in the VCS repositories for all packages providing this information. This is ~350 packages according to ullman:/srv/udd.debian.org/mirrors/machine-readable, which doesn't include packages that still haven't transitioned from upstream-metadata.yaml. Note, that this only needs to happen in the VCS and not a source upload. [2]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736760#35 Sticking with the status quo would require: - Changing uscan to look for debian/upstream-signing-keys.{pgp,asc} - Updating the ~17 packages that have started using debian/upstream/ While the latter is less work, my preference would be for the former since it provides a consistent place to look for upstream information in the context of a Debian source package. It seems unlikely to me both that uscan/DEP-12 will be the only projects that will want access to upstream-related information and that any other information would necessarily fit into one of those two buckets that they understand. Cheers, -- James GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan@debian.org>
Attachment:
signature.asc
Description: Digital signature