Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
From: Raphaël Hertzog <hertzog@debian.org>
Date: Thu, 11 Feb 2021 21:59:42 +0100
Message-id: <[🔎] 161307718203.476263.12686697476231512126.reportbug@t14-buxy.home.ouaza.com>
Reply-to: Raphaël Hertzog <hertzog@debian.org>, 982562@bugs.debian.org

Package: general
Severity: normal
User: devel@kali.org
Usertags: origin-kali
X-Debbugs-Cc: hertzog@debian.org, debian-dpkg@lists.debian.org
Control: affects -1 ftp.debian.org dpkg-dev

Hi people,

After having been bitten (in Kali) by failures to import Debian packages
because a PGP signature file has been modified [1], this lead me to think
about this problem space and I concluded that the way we are storing
such signatures is not appropriate.

Those files are not really meant to be immutable:
- signing keys can expire and be revoked, upstream might want to update
  signatures of already released tarballs
- the set of "upstream release managers" might evolve over time and the
  official signature to use might change...

If we assume that the archive is meant to store immutable content
under a given filename (and to me that requirement seems to be a good
idea), then we should question ourselves whether we really want to store
those signatures in a filename that's associated to the upstream version.
They should either be tied to the Debian revision (so that they can change
over time without any new upstream release) or be incorporated in the
Debian tarball.

After all the key to verify those signatures is already stored in the
Debian tarball (when you use the uscan feature to verify those
signatures), so why not store the signature there as well?

I originally filed this in https://bugs.debian.org/949962 against
ftp.debian.org but the bug got closed because it's not really the
responsibility of ftpmasters to change this. So I'm starting a wider
discussion to gather feedback of all interested parties (at least
Guillem as dpkg maintainer). I won't drive this much further but
I wanted to have it properly recorded and considered.

Cheers,

[1] For details it happened in dbus-glib:
https://snapshot.debian.org/package/dbus-glib/0.110-2/ -> it has .asc file
https://snapshot.debian.org/package/dbus-glib/0.110-3/ -> no .asc
https://snapshot.debian.org/package/dbus-glib/0.110-4/ -> no .asc
https://snapshot.debian.org/package/dbus-glib/0.110-5/ -> it has a
different .asc file

Reply to:

Follow-Ups:
- Processed: general: Storing upstream signatures next to upstream tarballs is problematic
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
  - From: Guillem Jover <guillem@debian.org>
- Processed: Re: Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
  - From: Rene Engelhard <rene@debian.org>
- Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Question about generated dependencies
Next by Date: Processed: general: Storing upstream signatures next to upstream tarballs is problematic
Previous by thread: Re: Question about generated dependencies
Next by thread: Processed: general: Storing upstream signatures next to upstream tarballs is problematic
Index(es):
- Date
- Thread