Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse
Holger Levsen <holger@layer-acht.org> writes:
> On Mon, Aug 07, 2017 at 09:40:22AM -0700, Russ Allbery wrote:
>> In an ideal world, we would have a documented set of metadata for
>> finding upstream releases, of which uscan is just one implementation,
>> and document that in Policy. This patch doesn't attempt to do that; it
>> tries to find a compromise between the current Policy language
>> ("include a watch file for uscan") and specifying the location of the
>> upstream signing keys, while deferring all of the details to the uscan
>> documentation.
>> I decided to keep this all in the uscan section rather than adding a
>> new section for the upstream signing key location, since right now this
>> is all closely linked to uscan functionality (and to avoid renumbering
>> sections or having a section weirdly separated from the uscan
>> description).
>> How does this look to everyone?
> looks good to me and the reasoning as well. happy to second if you think
> it's ready.
Yup, I think it's ready, as long as dkg is happy with this!
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: