Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic

To: Raphaël Hertzog <hertzog@debian.org>, 982562@bugs.debian.org
Subject: Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
From: Julien Cristau <jcristau@debian.org>
Date: Fri, 12 Feb 2021 18:51:25 +0100
Message-id: <[🔎] YCbAHc6m8rdX83wX@jcristau-z4>
Reply-to: Julien Cristau <jcristau@debian.org>, 982562@bugs.debian.org
In-reply-to: <[🔎] 161307718203.476263.12686697476231512126.reportbug@t14-buxy.home.ouaza.com>
References: <[🔎] 161307718203.476263.12686697476231512126.reportbug@t14-buxy.home.ouaza.com> <[🔎] 161307718203.476263.12686697476231512126.reportbug@t14-buxy.home.ouaza.com>

On Thu, Feb 11, 2021 at 09:59:42PM +0100, Raphaël Hertzog wrote:
> Those files are not really meant to be immutable:
> - signing keys can expire and be revoked, upstream might want to update
>   signatures of already released tarballs
> - the set of "upstream release managers" might evolve over time and the
>   official signature to use might change...
> 
As far as we're concerned they are immutable, they are the signature of
the tarball at the time that tarball was uploaded to debian.  There's no
reason for that to change without the tarball itself changing, at which
point both filenames change.

Cheers,
Julien

Reply to:

References:
- Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
  - From: Raphaël Hertzog <hertzog@debian.org>

Prev by Date: Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
Next by Date: Bug#982658: ITP: org-tree-slide -- presentation tool for org-mode
Previous by thread: Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
Next by thread: Work-needing packages report for Feb 12, 2021
Index(es):
- Date
- Thread