Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse
Package: debian-policy
Severity: normal
Tags: patch
debian-policy should encourage verification of upstream cryptographic
signatures.
Since devscripts 2.13.3 (see #610712), uscan has supported the ability
to automatically verify upstream's cryptographic signatures if the
signing key and URL to the signature is well-known.
debian-policy should recommend that package maintainers regularly
verify these signatures for new versions, and mention the files used.
A proposed patch for debian-policy is attached.
commit f267cc2134197533bce3af8152aef15217967813
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Tue Dec 17 23:15:08 2013 -0500
Encourage verification of upstream cryptographic signatures
Since devscripts 2.13.3 (see #610712), uscan has supported the ability
to automatically verify upstream's cryptographic signatures if the
signing key and URL to the signature is well-known.
debian-policy should recommend that package maintainers regularly
verify these signatures for new versions, and mention the files used.
diff --git a/policy.sgml b/policy.sgml
index dad8d23..ebe486f 100644
--- a/policy.sgml
+++ b/policy.sgml
@@ -2373,8 +2373,31 @@ endif
distribution as a whole.
</p>
- </sect>
+ <p>
+ If the package's upstream source offers detached
+ cryptographic signatures of their source, it is recommended
+ to use the <tt>pgpsigurlmangle</tt> option to locate the
+ upstream signature file
+ and <qref id="debianupstreamsigningkey"><tt>debian/usptream-signing-key.pgp</tt></qref>
+ to indicate the acceptable signing key
+ (see <manref name="uscan" section="1"> for details).
+ </p>
+ </sect>
+ <sect id="debianupstreamsigningkey">
+ <heading>Upstream signing key: <file>debian/upstream-signing-key.pgp</file></heading>
+ <p>
+ If the package's upstream offers cryptographic signatures of
+ their source, this optional, recommended file should contain
+ a binary OpenPGP (RFC 4880) keyring consisting of all
+ OpenPGP keys that the package maintainer considers
+ acceptable to sign new upstream releases of the software
+ (see <qref id="debianwatch"><tt>pgpsigurlmangle</tt>
+ from <tt>debian/watch</tt></qref> for instructions on how to
+ tell <tt>uscan</tt> how to find the signatures themselves
+ when new versions are available).
+ </p>
+ </sect>
<sect id="debianfiles">
<heading>Generated files list: <file>debian/files</file></heading>
Reply to: