Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

[Jonathan Nieder <jrnieder@gmail.com>]

Hi,

Russ Allbery wrote:

> How does this look to everyone?

Seconded, with or without the tweaks dkg suggested in
https://bugs.debian.org/732445#68

Thanks,
Jonathan

> --- a/policy.xml
> +++ b/policy.xml
> @@ -2556,11 +2556,28 @@ endif</programlisting>
>  
>        <para>
>          This is an optional, recommended configuration file for the
> -        <literal>uscan</literal> utility which defines how to
> +        <command>uscan</command> utility which defines how to
>          automatically scan ftp or http sites for newly available updates
>          of the package.  This is used Debian QA tools to help with quality
>          control and maintenance of the distribution as a whole.
>        </para>
> +      <para>
> +        If the upstream maintainer of the software provides PGP signatures
> +        for new releases, including the information required for
> +        <command>uscan</command> to verify signatures for new upstream
> +        releases is also recommended.  To do this, use the
> +        <literal>pgpsigurlmangle</literal> option in
> +        <filename>debian/watch</filename> to specify the location of the
> +        upstream signature, and include the key or keys used to sign
> +        upstream releases in the Debian source package as
> +        <filename>debian/upstream/signing-key.asc</filename>.
> +      </para>
> +      <para>
> +        For more information about <command>uscan</command> and these
> +        options, including how to generate the file containing upstream
> +        signing keys, see
> +        <citerefentry><refentrytitle>uscan</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
> +      </para>
>      </section>
>  
>      <section id="s-debianfiles">
>