On Wed, Oct 05, 2016 at 09:55:08PM +0200, Guilhem Moulin wrote: > Package: git-buildpackage > Version: 0.8.4 > Severity: wishlist > > Dear Maintainer, > > `gpg import-orig --upstream-vcs-tag` provides a nice way to preserve the > upstream VCS tree up to the most recent tag. However, signed upstream > tags, when present, are currently not verified. It would be nice to > provide an option for automatic tag verification using the armored > keyring from debian/upstream/signing-key.asc, to match uscan(1) > signature verification logic. > > In cases where upstream generates tarballs based on VCS tags, > maintainers could then easily avoid downloading upstream tarballs > altogether while 1/ preserving the upstream VCS tree, and 2/ still being > able to ensure upstream code integrity.
That makes a lot of sense. I'm not a heavy --upstream-vcs-tag user so tested patches (preferably with a testcase [1]) would be nice! Cheers, -- Guido [1]: a simple test in tests/component would be sufficient to test this behaviour at all
