Hello, Many downstream projects are using your source files directly from your FTP and packaging. This presents a problem. 1) Navigate to https://ftp.de.debian.org/debian/pool/main/ 2) Click on ANY folder/subfolder of a popular project. 3) The only checksum can be found in the .dsc file. While having the .dsc file is better than nothing, it does not allow downstream to run GPG verification against the source files themselves. Additionally, .dsc files only have SHA256 as the strongest checksum. SHA1 and MD5 have been considered weak/broken for some time, per Debian's own documentation. Please consider implementing a system similar to kernel.org's - https://mirrors.kernel.org/sourceware/lvm2/releases/ In this scenario, each source tarball is signed with GPG, and a SHA512SUM is included for the entire directory as well. Downstream can then verify the GPG signature and the checksum easily. Thank you for your time and concern. Sincerely, Luke Parabola GNU/Linux-libre Packager
Attachment:
signature.asc
Description: OpenPGP digital signature