Bug#727096: uscan: store signature for upstream tarball in debian/
Paul Wise
pabs at debian.org
Tue Apr 12 14:13:29 UTC 2016
On Tue, 2016-04-12 at 21:14 +0900, Osamu Aoki wrote:
> I assume "create" means "create a copy of the upstream-generated
> signature" as foo_0.1.2.orig.tar.gz..asc which can be
> verified by the keyring debian/upstream/signing-key.pgp in the older
> package.
Correct.
> I am a bit confused what kind of assurance it brings to the end user.
If the user has a trust path to upstream, they can be sure that Debian
hasn't modified the upstream tarball.
I think we had more use cases but can't remember, hopefully dkg (CCed)
remembers some of them. I expect it is mostly useful to Debian.
I expect this will be useful for binary transparency efforts:
https://pad.riseup.net/p/binary-transparency
https://github.com/FreeBSDFoundation/binary-transparency-notes
https://boingboing.net/2016/03/10/using-distributed-code-signatu.html
> Also if a new upstream package is signed by a new upstream key, uscan
> using old key will fail. ...
Yes, this is expected and should result in the Debian maintainer
investigating the situation and contacting upstream to clarify it.
--
bye,
pabs
https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20160412/465576d2/attachment.sig>
More information about the devscripts-devel
mailing list