On Mon, Jul 01, 2019 at 03:04:26PM +0200, Enrico Weigelt, metux IT consult wrote: > On 29.05.19 17:41, Andrey Rahmatullin wrote: > > >> Perhaps we should update policy to say that the .orig tarball may (or > >> even "should") be generated from an upstream release tag where > >> applicable. > > This conflicts with shipping tarball signatures. > > Does that really need to be the upstream's tarballs ? The idea is checking the sig that the upstream made, with the key the upstream published. > If it's about validating the source integrity all along the path from > from upstream to deb-src repo, we could do that by auditable process > (eg. fully automatic, easily reproducable transformations) Sounds very complicated. -- WBR, wRAR
Attachment:
signature.asc
Description: PGP signature