Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
Hi,
On Fri, 12 Feb 2021, at 08:59, Raphael Hertzog wrote:
> On Fri, 12 Feb 2021, Guillem Jover wrote:
> > > If we assume that the archive is meant to store immutable content
> > > under a given filename (and to me that requirement seems to be a good
> > > idea), then we should question ourselves whether we really want to store
> > > those signatures in a filename that's associated to the upstream version.
> > > They should either be tied to the Debian revision (so that they can change
> > > over time without any new upstream release) or be incorporated in the
> > > Debian tarball.
> > The upstream signatures are important to determine the provenance of
> > the source at the time of packaging, just like the signatures on .dsc,
> > both lose relevance once they hit an archive.
> I agree with this. Why do we want to upload them and store them forever
> then?
> > This seems mostly a tooling problem TBH.
> Yeah, it would go a long way if pristine-tar would store the associated
> signature and restore it as well. It's easy to forget to include it
> when the uploads are not done by the same person.
By the way, that’s what pristine-lfs always does.
--
Cheers,
Andrej
Reply to: