Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

To: Bill Allombert <ballombe@debian.org>, 732445@bugs.debian.org
Subject: Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Mon, 24 Mar 2014 19:08:55 -0400
Message-id: <[🔎] 87vbv3jit4.fsf@alice.fifthhorseman.net>
Reply-to: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 732445@bugs.debian.org
In-reply-to: <[🔎] 20140322161952.GA10855@yellowpig>
References: <20131218042238.4510.24427.reportbug@alice.fifthhorseman.net> <[🔎] 20140322161952.GA10855@yellowpig>

Control: clone 732445 -2
Control: reassign -2 developers-reference
Control: retitle -2 developers-reference should encourage verification of upstream cryptographic signatures
Control: retitle 732445 debian-policy should encourage verification of upstream cryptographic signatures

Hi Bill--

On Sat 2014-03-22 12:19:52 -0400, Bill Allombert wrote:
> While I agree that verification of upstream cryptographic signatures
> is important, your patch mostly documents a tool to perform this
> task, which is not something which belongs to policy in general. 
> Also policy is supposed to document commong practices, so it might
> be a bit too soon to document debian/upstream-signing-key.pgp.

You're quite right about my original bug report having been premature
and over-specific for debian-policy; sorry about that.  The current
preferred location is now debian/upstream/signing-key.pgp (binary form)
or debian/upstream/signing-key.asc (ascii-armored).  And i agree with
you that the specifics of how it's done might not need to be in policy.

However, as a matter of policy debian really should explicitly encourage
developers to check whatever cryptographic verifications are offered by
upstream, via whatever methods are available.  And the use of
debian/upstream/signing-key.* is becoming more common:

 http://codesearch.debian.net/search?q=signing-key.pgp

shows over 370 hits, probably at least a hundred packages, including
important packages like apache2 and openssh and libgcrypt11.

So i'm leaving the policy bug open because i think it's worth mentioning
the suggestion.  This is useful for both debian and our upstreams.

So i'm leaving this bug open with a plea for simpler/more generic text
that encourages developers to do cryptographic verification, but i'm not
sure what section of policy that should be in, if it's not concretely
tied to debian/watch the way this specific patch was.

any suggestions?  i'm happy to write a couple sentences if someone wants
to point me at the right section or subsection for context.

> Maybe at this stage, the recommendation would be better placed in
> developers-reference.

thanks, that's a good idea.

i've cloned the bug to suggest its inclusion in developers-reference,
where the specific and concrete language is probably more appropriate.

     --dkg

Attachment: pgpgafYTB0bl7.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse
  - From: Russ Allbery <rra@debian.org>

References:
- Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse
  - From: Bill Allombert <ballombe@debian.org>

Prev by Date: Bug#707851: Please resume discussion on #707851 or defer decision to the TC.
Next by Date: Processed: Re: Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse
Previous by thread: Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse
Next by thread: Processed: Re: Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse
Index(es):
- Date
- Thread