* Russ Allbery <rra@debian.org> [2021-03-26 13:01]:
Personally, I'd be happy to drop the upstream signing keys from all of my packages and save a bit of work. I never use them as the package maintainer because I'm the only upstream of my packaging that signs packages, and therefore I already know the tarballs are authentic without using a signature to prove it. I include them only for the use of others. If you're right that no one else cares, I'll save myself the time and energy of refreshing them periodically. But I'd like to see some confirmation that people really don't care.
It's the same for me: the only package I maintain where upstream signs their releases is the package where I am also the author. And I really don't think that it provides any additional value for Debian in this particular constellation; I just keep doing it in case some other distribution wants to rely on the signature as integrity check. - Timo
Attachment:
signature.asc
Description: PGP signature