> >The git-buildpackage config includes these two attributes: > >- upstream-vcs-tag > > I agree this would be useful to support as an upstream metadata field.
Great! > >- upstream-signatures > > This seems to be more of a git workflow policy rather than an upstream > metadata field. > If upstream signs releases, the presence of a debian/upstream/signing-key.asc > and configuration in debian/watch (pgpsigmangle) indicates whether the > presence > of the signature is mandatory. I'm also hesitant of bringing information > about the upstream *tarball* into debian/upstream/metadata, as that is a role > debian/watch already plays. Please see Bug#1111115 and new uscan v5. The debian/watch might become obsolete and go away if the metadata is available in other files. > (Maybe you mean signing of upstream tags rather than upstream tarballs? That > is > not what "upstream-signatures" in git-buildpackage appears to be about based > on my reading of > https://salsa.debian.org/debian/dh-make/-/blob/master/lib/debian/gbp.conf.ex) No I meant this gbp option. There is currently no gbp option to check that tags are signed. That is however a good remark, and the name of the field could be clarified if made available in debian/upstream/metadata. Perhaps 'release-signatures: yes' and 'vcs-git-tag-signatures: yes'.
