Bug#916207: lintian: debian-watch-does-not-check-gpg-signature certainty considered annoying

[Felix Lechner <felix.lechner@lease-up.com>]

Hi Scott,

Many people find the tag cumbersome, and some people think it should
go away. At the same time, upstream sources are more trustworthy when
verified; and that is in the project's overall interest. Could your
concern be resolved by better naming?

I process the tag name (it has already been renamed once [1]) as
"debian-watch-does-not-check-A-gpg-signature." Without a signature
that is an objective fact.

On Tue, Dec 11, 2018 at 5:18 AM Scott Kitterman <debian@kitterman.com> wrote:
> As designed, debian-watch-does-not-check-gpg-signature does not check if
> upstream provides a GPG signature to make checking it possible.

When I process the name as
"debian-watch-does-not-check-THE-gpg-signature"---which is maybe the
way you are reading it---it means the same as
'debian-watch-could-verify-download' but the tag does not behave like
it.

My suggestion would be to rename the tag to
'built-from-unverified-sources' or similar. What do you think?

> when if there's no upstream signature, it's not at all a problem
> the maintainer can fix.  "Certainty: possible" seems much more reasonable to
> me.

The tag would continue to be of Certainty: certain.

Kind regards,
Felix

[1] https://salsa.debian.org/lintian/lintian/commit/0cbebd4ba0b2a067383616e18981eeb9de5d7df2