Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse
Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> I'd be happy to see us settle on one single location, and if folks think
> that the .asc version is the better option, updating lintian to nag
> about the other ones until they go away seems doable before we freeze
> for jessie. I'll even file patches or do NMUs for packages that need
> them if a lintian tag appears.
That would be my preference, if for no other reason than options are
expensive to maintain and picking one good way to do something is usually
better. However, I don't have strong feelings on the matter.
> Thinking further, I wonder if we should also encourage packagers to
> store the detached signature itself in the packaging directly (e.g.
> maybe in debian/upstream/signature.asc), so that the upstream tarball
> can be re-verified against the signing key even if the upstream archive
> goes offline; maybe that's a separate issue.
I think the level of benefit from this is low, since the source package is
already signed by the Debian uploader and includes a signature on the
tarball, but if the tools updated that file automatically (I'm thinking of
gbp import-orig and the like), I certainly wouldn't object to including
it. I probably wouldn't bother to download it and copy it into place
myself, though.
> That said, if a debian packager wants to include extra OpenPGP
> certifications of moderate length, i don't think we should forbid them
> from doing so (i can imagine a packager wanting to include their own
> certification if they have made one, for example).
Yes, agreed.
>> I use:
>>
>> gpg --export --armor --export-options export-minimal <key> \
>> > debian/upstream/signing-key.asc
> i think that's good advice, though i don't know whether it belongs in
> debian-policy or developers-reference.
developers-reference, probably.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: