[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

On Tue, Dec 17, 2013 at 11:22:38PM -0500, Daniel Kahn Gillmor wrote:
> Package: debian-policy
> Severity: normal
> Tags: patch
> 
> debian-policy should encourage verification of upstream cryptographic
> signatures.
> 
> Since devscripts 2.13.3 (see #610712), uscan has supported the ability
> to automatically verify upstream's cryptographic signatures if the
> signing key and URL to the signature is well-known.
>  
> debian-policy should recommend that package maintainers regularly
> verify these signatures for new versions, and mention the files used.

Hello Daniel,

While I agree that verification of upstream cryptographic signatures
is important, your patch mostly documents a tool to perform this
task, which is not something which belongs to policy in general. 
Also policy is supposed to document commong practices, so it might
be a bit too soon to document debian/upstream-signing-key.pgp.

Maybe at this stage, the recommendation would be better placed in
developers-reference.

> A proposed patch for debian-policy is attached.

> commit f267cc2134197533bce3af8152aef15217967813
> Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
> Date:   Tue Dec 17 23:15:08 2013 -0500
> 
>     Encourage verification of upstream cryptographic signatures
>     
>     Since devscripts 2.13.3 (see #610712), uscan has supported the ability
>     to automatically verify upstream's cryptographic signatures if the
>     signing key and URL to the signature is well-known.
>     
>     debian-policy should recommend that package maintainers regularly
>     verify these signatures for new versions, and mention the files used.
> 
> diff --git a/policy.sgml b/policy.sgml
> index dad8d23..ebe486f 100644
> --- a/policy.sgml
> +++ b/policy.sgml
> @@ -2373,8 +2373,31 @@ endif
>            distribution as a whole.
>          </p>
>  
> -      </sect>
> +	<p>
> +	  If the package's upstream source offers detached
> +	  cryptographic signatures of their source, it is recommended
> +	  to use the <tt>pgpsigurlmangle</tt> option to locate the
> +	  upstream signature file
> +	  and <qref id="debianupstreamsigningkey"><tt>debian/usptream-signing-key.pgp</tt></qref>
> +	  to indicate the acceptable signing key
> +	  (see <manref name="uscan" section="1"> for details).
> +	</p>
>  
> +      </sect>
> +      <sect id="debianupstreamsigningkey">
> +        <heading>Upstream signing key: <file>debian/upstream-signing-key.pgp</file></heading>
> +	<p>
> +	  If the package's upstream offers cryptographic signatures of
> +	  their source, this optional, recommended file should contain
> +	  a binary OpenPGP (RFC 4880) keyring consisting of all
> +	  OpenPGP keys that the package maintainer considers
> +	  acceptable to sign new upstream releases of the software
> +	  (see <qref id="debianwatch"><tt>pgpsigurlmangle</tt>
> +	  from <tt>debian/watch</tt></qref> for instructions on how to
> +	  tell <tt>uscan</tt> how to find the signatures themselves
> +	  when new versions are available).
> +	</p>
> +      </sect>
>        <sect id="debianfiles">
>  	<heading>Generated files list: <file>debian/files</file></heading>
>  


-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.
Reply to: