Re: Upstream Tarball Signature Files

[Paul Hardy <unifoundry@gmail.com>]

Russ,

On Sat, Aug 12, 2017 at 7:59 PM, Russ Allbery <rra@debian.org> wrote:

Hi Paul,

This isn't a debian-policy matter...

My thinking was it would be beneficial for Debian Policy to suggest (but not require) use of upstream OpenPGP signatures when available, because such signature file use will help ensure the integrity of the Debian archive.

However, I don't think it's a good idea to support multiple file names for
the same thing...

It's almost never a good idea to introduce synonyms into any sort of
standard.  It adds a lot of complexity that has to be maintained forever,
to very little benefit.

In this case, it is a trade-off between Debian packaging tools accepting both ASCII and binary signature files forever, versus Debian maintainers who repackage upstream sources with binary signatures having to convert those signatures with each new upstream release forever.

The GNU FTP repository files are accompanied by binary ".sig" signatures during upload to that site, and are listed with the accompanying files (which is why I need to generate binary ".sig" files for upstream).  The benefit at least would be for Debian maintainers who re-package those GNU Project files.

However, I can propose additions for the Policy Manual in Chapter 4 and the Files and Checksums sections that only describe the ".asc" format.  At least that will document the current situation.

Thanks,

Paul Hardy