Hello Paul, On Sun, Jul 16, 2017 at 04:36:55PM -0700, Paul Hardy wrote: > I was wondering if a maintainer signed a .dsc file in a package that > was uploaded (and hence signed) by a sponsor, that the FTP server > would reject the .dsc file for having an invalid signature. The sponsor would probably unpack and then rebuild the source package for the upload. If they didn't, and directly signed the .dsc using debsign(1), it would strip the sponsee's signature, and then sign both the .dsc and the .changes. So I believe the problem case could not arise. > Could the wording be changed to "...possibly surrounded by the > maintainer's PGP signature"? The term "maintainer" is implicitly > defined in the Policy Manual through repeated mention. This wouldn't be sufficient because those without upload rights can be sponsored to perform non-maintainer uploads. > Of course, out of context of this request someone might think "of > course the maintainer would sign the .dsc file--who else would do > that?" Well, again, it could be someone other than the maintainer, perfomring an NMU. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature