On Fri, Feb 12, 2021 at 08:59:12AM +0100, Raphael Hertzog wrote:
> Control: block -1 by 876643
>
> Hi,
>
> thanks for your quick answer!
>
> On Fri, 12 Feb 2021, Guillem Jover wrote:
> > > If we assume that the archive is meant to store immutable content
> > > under a given filename (and to me that requirement seems to be a good
> > > idea), then we should question ourselves whether we really want to store
> > > those signatures in a filename that's associated to the upstream version.
> > > They should either be tied to the Debian revision (so that they can change
> > > over time without any new upstream release) or be incorporated in the
> > > Debian tarball.
> >
> > The upstream signatures are important to determine the provenance of
> > the source at the time of packaging, just like the signatures on .dsc,
> > both lose relevance once they hit an archive.
>
> I agree with this. Why do we want to upload them and store them forever
> then?
>
> > This seems mostly a tooling problem TBH.
>
> Yeah, it would go a long way if pristine-tar would store the associated
> signature and restore it as well. It's easy to forget to include it
> when the uploads are not done by the same person.
It can, since version 1.41:
debcheckout confget
cd confget
git checkout pristine-tar
git checkout master
git checkout debian/master
pristine-tar checkout -s ../confget_2.3.4.orig.tar.xz.asc ../confget_2.3.4.orig.tar.xz
gpg --verify ../confget_2.3.4.orig.tar.xz{.asc,}
G'luck,
Peter
--
Peter Pentchev roam@ringlet.net roam@debian.org pp@storpool.com
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
Attachment:
signature.asc
Description: PGP signature