[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

Holger Levsen <holger@layer-acht.org> writes:
> On Mon, Aug 07, 2017 at 09:40:22AM -0700, Russ Allbery wrote:

>> In an ideal world, we would have a documented set of metadata for
>> finding upstream releases, of which uscan is just one implementation,
>> and document that in Policy.  This patch doesn't attempt to do that; it
>> tries to find a compromise between the current Policy language
>> ("include a watch file for uscan") and specifying the location of the
>> upstream signing keys, while deferring all of the details to the uscan
>> documentation.

>> I decided to keep this all in the uscan section rather than adding a
>> new section for the upstream signing key location, since right now this
>> is all closely linked to uscan functionality (and to avoid renumbering
>> sections or having a section weirdly separated from the uscan
>> description).

>> How does this look to everyone?

> looks good to me and the reasoning as well. happy to second if you think
> it's ready.

Yup, I think it's ready, as long as dkg is happy with this!

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: