[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Questioning debian/upstream/signing-key.asc

* Russ Allbery <rra@debian.org> [2021-03-26 13:01]:
Personally, I'd be happy to drop the upstream signing keys from all of my
packages and save a bit of work.  I never use them as the package
maintainer because I'm the only upstream of my packaging that signs
packages, and therefore I already know the tarballs are authentic without
using a signature to prove it.  I include them only for the use of others.
If you're right that no one else cares, I'll save myself the time and
energy of refreshing them periodically.  But I'd like to see some
confirmation that people really don't care.
It's the same for me: the only package I maintain where upstream signs their
releases is the package where I am also the author. And I really don't think
that it provides any additional value for Debian in this particular
constellation; I just keep doing it in case some other distribution
wants to rely on the signature as integrity check.

- Timo

Attachment: signature.asc
Description: PGP signature

Reply to: