[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

Control: tag -1 patch

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:

> debian-policy should encourage verification of upstream cryptographic
> signatures.

> Since devscripts 2.13.3 (see #610712), uscan has supported the ability
> to automatically verify upstream's cryptographic signatures if the
> signing key and URL to the signature is well-known.
>  
> debian-policy should recommend that package maintainers regularly
> verify these signatures for new versions, and mention the files used.

Hi everyone,

Here's a proposed new patch for this.

In an ideal world, we would have a documented set of metadata for finding
upstream releases, of which uscan is just one implementation, and document
that in Policy.  This patch doesn't attempt to do that; it tries to find a
compromise between the current Policy language ("include a watch file for
uscan") and specifying the location of the upstream signing keys, while
deferring all of the details to the uscan documentation.

I decided to keep this all in the uscan section rather than adding a new
section for the upstream signing key location, since right now this is all
closely linked to uscan functionality (and to avoid renumbering sections
or having a section weirdly separated from the uscan description).

How does this look to everyone?

diff --git a/policy.xml b/policy.xml
index 6086901..c14d9b4 100644
--- a/policy.xml
+++ b/policy.xml
@@ -2556,11 +2556,28 @@ endif</programlisting>
 
       <para>
         This is an optional, recommended configuration file for the
-        <literal>uscan</literal> utility which defines how to
+        <command>uscan</command> utility which defines how to
         automatically scan ftp or http sites for newly available updates
         of the package.  This is used Debian QA tools to help with quality
         control and maintenance of the distribution as a whole.
       </para>
+      <para>
+        If the upstream maintainer of the software provides PGP signatures
+        for new releases, including the information required for
+        <command>uscan</command> to verify signatures for new upstream
+        releases is also recommended.  To do this, use the
+        <literal>pgpsigurlmangle</literal> option in
+        <filename>debian/watch</filename> to specify the location of the
+        upstream signature, and include the key or keys used to sign
+        upstream releases in the Debian source package as
+        <filename>debian/upstream/signing-key.asc</filename>.
+      </para>
+      <para>
+        For more information about <command>uscan</command> and these
+        options, including how to generate the file containing upstream
+        signing keys, see
+        <citerefentry><refentrytitle>uscan</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+      </para>
     </section>
 
     <section id="s-debianfiles">

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: