Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse
Hi,
Russ Allbery wrote:
> How does this look to everyone?
Seconded, with or without the tweaks dkg suggested in
https://bugs.debian.org/732445#68
Thanks,
Jonathan
> --- a/policy.xml
> +++ b/policy.xml
> @@ -2556,11 +2556,28 @@ endif</programlisting>
>
> <para>
> This is an optional, recommended configuration file for the
> - <literal>uscan</literal> utility which defines how to
> + <command>uscan</command> utility which defines how to
> automatically scan ftp or http sites for newly available updates
> of the package. This is used Debian QA tools to help with quality
> control and maintenance of the distribution as a whole.
> </para>
> + <para>
> + If the upstream maintainer of the software provides PGP signatures
> + for new releases, including the information required for
> + <command>uscan</command> to verify signatures for new upstream
> + releases is also recommended. To do this, use the
> + <literal>pgpsigurlmangle</literal> option in
> + <filename>debian/watch</filename> to specify the location of the
> + upstream signature, and include the key or keys used to sign
> + upstream releases in the Debian source package as
> + <filename>debian/upstream/signing-key.asc</filename>.
> + </para>
> + <para>
> + For more information about <command>uscan</command> and these
> + options, including how to generate the file containing upstream
> + signing keys, see
> + <citerefentry><refentrytitle>uscan</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
> + </para>
> </section>
>
> <section id="s-debianfiles">
>
Reply to: