Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic

["Andrej Shadura" <andrew@shadura.me>]

Hi,

On Fri, 12 Feb 2021, at 08:59, Raphael Hertzog wrote:
> On Fri, 12 Feb 2021, Guillem Jover wrote:
> > > If we assume that the archive is meant to store immutable content
> > > under a given filename (and to me that requirement seems to be a good
> > > idea), then we should question ourselves whether we really want to store
> > > those signatures in a filename that's associated to the upstream version.
> > > They should either be tied to the Debian revision (so that they can change
> > > over time without any new upstream release) or be incorporated in the
> > > Debian tarball.

> > The upstream signatures are important to determine the provenance of
> > the source at the time of packaging, just like the signatures on .dsc,
> > both lose relevance once they hit an archive.

> I agree with this. Why do we want to upload them and store them forever
> then?

> > This seems mostly a tooling problem TBH.

> Yeah, it would go a long way if pristine-tar would store the associated
> signature and restore it as well. It's easy to forget to include it
> when the uploads are not done by the same person.

By the way, that’s what pristine-lfs always does.

-- 
Cheers,
  Andrej