Re: debian/upstream/signing-key.asc in policy 4.1.0
On Wed, 23 Aug 2017, Russ Allbery wrote:
> Note that this Policy language is carefully written to make it perfectly
> fine for uscan to support all the things it currently supports, since it
> only talks about what Policy recommends the maintainer does. So don't
> feel any obligation to change what uscan is doing on Policy's account
> here.
Actually, the text in 4.1.0.0 might be doing too much. It reads:
"If the upstream maintainer of the software provides OpenPGP signatures
for new releases, including the information required for "uscan" to
verify signatures for new upstream releases is also recommended. To do
this, use the "pgpsigurlmangle" option in "debian/watch" to specify
the location of the upstream signature, and include the key or keys
used to sign upstream releases in the Debian source package as
"debian/upstream/signing-key.asc".
IMO, it should either not be mandating uscan internals, or it should be
very clear about the exact subset of stuff we can use in debian/watch
(version, etc). For example, I'd rather use opt="..., pgpmode=auto,..."
instead of explicitly hardcoding a "pgpsigurlmangle".
IMHO, just drop everything from "To do this..." to the end of that
paragraph entirely. HOW one gets "uscan" to fetch and check upstream
signatures is a job for the uscan(1) manpage. Alternatively, just
mention "debian/watch", and to refer to the uscan documentation in
package "devscripts".
OTOH, if we really need to mandate a specific level of debian/watch
support, the current text in policy needs work: it doesn't even tell me
whether I can use version=3 (supported in oldstable), or version=4
(supported in oldstable-backports and stable), for example...
--
Henrique Holschuh
Reply to: