Bug#727096: uscan: store signature for upstream tarball in debian/
Daniel Kahn Gillmor
dkg at debian.org
Tue Apr 12 16:06:31 UTC 2016
On Tue 2016-04-12 11:12:44 -0400, Paul Wise wrote:
> On Tue, 2016-04-12 at 10:26 -0400, Daniel Kahn Gillmor wrote:
>
>> I'm not sure that we need the [<fingerprint>] in that specification.
>
> This allows for multiple signers: an upstream release team to have
> multiple signers attesting that the build of the source tarball from
> git is bitwise reproducible, or an upstream signature plus the Debian
> maintainer attesting that they downloaded a particular package.
.asc files can already contain multiple signatures -- i guess i have no
problem with splitting them out if we want, as long as the tooling for
doing so is easy for people to use.
> BTW, check-all-the-things uses `hokey lint` to encourage package
> maintainers to talk to their upstreams about OpenPGP:
>
> https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/data/openpgp
>
> I should probably include a link to the best practices.
>
> https://help.riseup.net/en/security/message-security/openpgp/best-practices
Great, this is exactly the sort of ecosystem-shaping work we should be
encouraging.
--dkg
More information about the devscripts-devel
mailing list