Bug#711553: [lintian] New pedantic check for missing pgpsigurlmangle in debian/watch
Package: lintian
Severity: wishlist
Daniel Kahn Gillmor did a fantastic job in implementing PGP verification
of upstream source through uscan (bug #610712). A new option called
pgpsigurlmangle was added to the the watch file opts= to generated the
upstream URL of an PGP signature. This signature is automatically
downloaded and verified against a keyring stored in
debian/upstream-signing-key.pgp
This approach is similar to the opensuse-factory build time verification
of GPG signatures but done by Debian during the download of the upstream
tarball.
Now it would be nice when this feature would actually be used to make
the verification process during the packaging of upstream software
slightly better. It is not meant to replace the review of the upstream
source code but allows to verify that not a third party modified the
code after the release against the will of upstream. We all know the
phpmyadmin, unrealircd or proftpd debacle (only to mention some of
them). This would at least make it a lot harder for an attacker to get
such code to a wider audience through distributions like Debian.
Of course, not all upstream distributions provide such signatures but
informing Debian Developers about the possibility to check those can
harden some packages. This in result may lead to some Developers
requesting such signatures from upstream. It is an process which needs
time but must be started somewhere.
A pedantic level check for the previously mentioned characteristics
(pgpsigurlmangle in watch and debian/upstream-signing-key.pgp) seems to
be the right choice because it is not required by the policy and may not
provided by upstream. So it looks to me slightly like
no-upstream-changelog.
Reply to: