Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic

[Mattia Rizzolo <mattia@debian.org>]

On Fri, 12 Feb 2021, 10:25 am Rene Engelhard, <rene@debian.org> wrote:

Hi,

Am 11.02.21 um 21:59 schrieb Raphaël Hertzog:

> [1] For details it happened in dbus-glib:
> https://snapshot.debian.org/package/dbus-glib/0.110-2/ -> it has .asc file
> https://snapshot.debian.org/package/dbus-glib/0.110-3/ -> no .asc
> https://snapshot.debian.org/package/dbus-glib/0.110-4/ -> no .asc
> https://snapshot.debian.org/package/dbus-glib/0.110-5/ -> it has a
> different .asc file
>
Why should anything else than -1 have a .asc file anyways in the upload?

That's .orig.tar.xz (or whatever compression) and the accompanying
.orig.tar.xz.asc.

Since -2 etc don't upload the .orig again there's no need to upload the
signature of the .orig again.

You are likely confusing the .dsc and the .changes.

The .dsc *always* refer to all the source files, even if not uploaded.  That clearly also includes the .asc.