Re: Upstream Tarball Signature Files

[Paul Hardy <unifoundry@gmail.com>]

Guillem,

On Tue, Aug 8, 2017 at 1:48 AM, Guillem Jover <guillem@debian.org> wrote:

Hi!

On Mon, 2017-08-07 at 20:26:41 -0700, Paul Hardy wrote:
> Also, where signature files are desired, I think it would be beneficial to
> also accept binary ".sig" files...

There is no need for that, you can convert from ASCII armored to
binary signatures and the other way around easily. For example to
convert from .sig to .asc you can do the following:

  $ gpg --output - --enarmor unifont_upper-10.0.05.ttf.sig | \
    sed -e 's/ARMORED FILE/SIGNATURE/;/^Comment:/d' > \
    unifont_upper-10.0.05.ttf.asc
  ...

This could be done automatically as part of uscan, so you'd not even
need to do it manually!

Would you consider doing this conversion in a separate shell script as part of dpkg-dev (for example, named "sig2asc")?  Then the script could be run from the command line, and uscan also could invoke it.  If you would accept that, I could write a proposed shell script with a man page for you and file them as patches in a bug against dpkg-dev or mail them to you privately.

I am the GNU Project maintainer for Unifont.  I build the GNU upstream version and the Debian version with one higher-level "make" command at the same time.  So I would not use uscan for OpenPGP format conversion; I only use it in my debian/watch file.

With a separate shell script in place, maintainer documentation could be updated to mention it.  After that, wording for a Policy change concerning upstream signatures could be crafted that would refer to that capability.

So I would postpone adding mention of upstream signature file use in the Policy Manual until those components are in place (shell script and maintainer document updates).

Thank you,

Paul Hardy