On Thu, Aug 14, 2025 at 12:51:52PM -0700, Otto Kekäläinen wrote:
>- upstream-signatures
This seems to be more of a git workflow policy rather than an upstream metadata
field.
If upstream signs releases, the presence of a debian/upstream/signing-key.asc
and configuration in debian/watch (pgpsigmangle) indicates whether the presence
of the signature is mandatory. I'm also hesitant of bringing information
about the upstream *tarball* into debian/upstream/metadata, as that is a role
debian/watch already plays.
Please see Bug#1111115 and new uscan v5. The debian/watch might become
obsolete and go away if the metadata is available in other files.
Can we keep these (upstream-vcs-tag, upstream tarball details) as separate
discussions in that case? Upstream VCS information is already in
debian/upstream/metadata and upstream vcs tag information isn't stored
in any standard debian/ control files yet so that seems like a much more
s natural fit. I'd rather not tie the fate of these two together.
There is a lot of other data about the upstream tarball(s) in debian/watch,
and pre-existing tooling and debian/watch files that use it.
Signatures are just a one part of that, and I don't think it makes
sense to *just* move the signatures to debian/upstream/metadata. E.g.
the following debian/watch bits are relevant:
FWIW I think there is value in separating out the information about the
canonical upstream source location from the configuration on how to generate
a debian .orig.tar.gz (which I think is something that debian/watch
currently mixes), but also expect it is a much larger discussion
to have.
Cheers,
Jelmer
