Bug#727096: uscan: store signature for upstream tarball in debian/
Paul Wise
pabs at debian.org
Tue Apr 12 15:12:44 UTC 2016
On Tue, 2016-04-12 at 10:26 -0400, Daniel Kahn Gillmor wrote:
> I'm not sure that we need the in that specification.
This allows for multiple signers: an upstream release team to have
multiple signers attesting that the build of the source tarball from git is bitwise reproducible, or an upstream signature plus the Debian
maintainer attesting that they downloaded a particular package.
> * If problems are found with certain kinds of keys for software
> signing, there is an easy way to do a rapid scan of the archive to
> detect which keys might be vulnerable and encourage upstreams to fix
> their practices
BTW, check-all-the-things uses `hokey lint` to encourage package
maintainers to talk to their upstreams about OpenPGP:
https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/data/openpgp
I should probably include a link to the best practices.
https://help.riseup.net/en/security/message-security/openpgp/best-practices
--
bye,
pabs
https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20160412/83a1ffd2/attachment.sig>
More information about the devscripts-devel
mailing list