Hi
Another idea to have a compromise:
* uscan is released with versioned schemes (GitHub.json, sf.json,...)
* when launched, it tries to download new version from a new Debian API
(static json files)
* if no response or no new version, uscan uses its own scheme or a
previously downloaded update (verifying signature)
* if a new version is available from new redirector:
* it verifies GPG signature of new scheme
* if not OK, it warns and uses cached scheme
* if OK, it stores it with signature in ~/.cache/uscan/schemes
What I don't like is that it will need time to check new profiles on a central site, which looks like an invitation for DoS situations.
I propose a variation of this: an explicit
"uscan --update" will update the profiles, and all other calls will use the known profiles.
Cheers,
J. Puydt