Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse
On Tue, Dec 17, 2013 at 11:22:38PM -0500, Daniel Kahn Gillmor wrote:
> Package: debian-policy
> Severity: normal
> Tags: patch
>
> debian-policy should encourage verification of upstream cryptographic
> signatures.
>
> Since devscripts 2.13.3 (see #610712), uscan has supported the ability
> to automatically verify upstream's cryptographic signatures if the
> signing key and URL to the signature is well-known.
>
> debian-policy should recommend that package maintainers regularly
> verify these signatures for new versions, and mention the files used.
Hello Daniel,
While I agree that verification of upstream cryptographic signatures
is important, your patch mostly documents a tool to perform this
task, which is not something which belongs to policy in general.
Also policy is supposed to document commong practices, so it might
be a bit too soon to document debian/upstream-signing-key.pgp.
Maybe at this stage, the recommendation would be better placed in
developers-reference.
> A proposed patch for debian-policy is attached.
> commit f267cc2134197533bce3af8152aef15217967813
> Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
> Date: Tue Dec 17 23:15:08 2013 -0500
>
> Encourage verification of upstream cryptographic signatures
>
> Since devscripts 2.13.3 (see #610712), uscan has supported the ability
> to automatically verify upstream's cryptographic signatures if the
> signing key and URL to the signature is well-known.
>
> debian-policy should recommend that package maintainers regularly
> verify these signatures for new versions, and mention the files used.
>
> diff --git a/policy.sgml b/policy.sgml
> index dad8d23..ebe486f 100644
> --- a/policy.sgml
> +++ b/policy.sgml
> @@ -2373,8 +2373,31 @@ endif
> distribution as a whole.
> </p>
>
> - </sect>
> + <p>
> + If the package's upstream source offers detached
> + cryptographic signatures of their source, it is recommended
> + to use the <tt>pgpsigurlmangle</tt> option to locate the
> + upstream signature file
> + and <qref id="debianupstreamsigningkey"><tt>debian/usptream-signing-key.pgp</tt></qref>
> + to indicate the acceptable signing key
> + (see <manref name="uscan" section="1"> for details).
> + </p>
>
> + </sect>
> + <sect id="debianupstreamsigningkey">
> + <heading>Upstream signing key: <file>debian/upstream-signing-key.pgp</file></heading>
> + <p>
> + If the package's upstream offers cryptographic signatures of
> + their source, this optional, recommended file should contain
> + a binary OpenPGP (RFC 4880) keyring consisting of all
> + OpenPGP keys that the package maintainer considers
> + acceptable to sign new upstream releases of the software
> + (see <qref id="debianwatch"><tt>pgpsigurlmangle</tt>
> + from <tt>debian/watch</tt></qref> for instructions on how to
> + tell <tt>uscan</tt> how to find the signatures themselves
> + when new versions are available).
> + </p>
> + </sect>
> <sect id="debianfiles">
> <heading>Generated files list: <file>debian/files</file></heading>
>
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
Reply to: