Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Russ Allbery <rra@debian.org>]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> You're quite right about my original bug report having been premature
> and over-specific for debian-policy; sorry about that.  The current
> preferred location is now debian/upstream/signing-key.pgp (binary form)
> or debian/upstream/signing-key.asc (ascii-armored).  And i agree with
> you that the specifics of how it's done might not need to be in policy.

The file location probably should be, though, since that's the public
interface for this functionality.

I'm curious -- why do we have two different supported paths?  At least in
my experience the ASCII-armored key is much easier to deal with, since you
don't have to configure dpkg to allow binary files in the debian
directory.  I'm not sure that I see any drawback to just saying to always
use the *.asc form.

Another comment based on my personal experience with this is that, if the
packager is generating this key by exporting a key from a keyring (for
example, for the packages for which I'm also upstream, I'm exporting my
own key), they should do so with --export-options export-minimal.  It
makes the file *much* smaller, and I don't think there's any need to
include all of the key signatures.  The mere presence of this key in the
(signed) Debian source package already indicates the trust relationship
that's relevant for this purpose, and the end user can always retrieve
additional key signatures from a public keyserver if they really want
them.

I use:

    gpg --export --armor --export-options export-minimal <key> \
        > debian/upstream/signing-key.asc

to generate this file for my packages.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>