Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

Tue, 17 Dec 2013 20:27:49 -0800 

Package: debian-policy
Severity: normal
Tags: patch

debian-policy should encourage verification of upstream cryptographic
signatures.


Since devscripts 2.13.3 (see #610712), uscan has supported the ability
to automatically verify upstream's cryptographic signatures if the
signing key and URL to the signature is well-known.
 
debian-policy should recommend that package maintainers regularly
verify these signatures for new versions, and mention the files used.

A proposed patch for debian-policy is attached.

commit f267cc2134197533bce3af8152aef15217967813
Author: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Date:   Tue Dec 17 23:15:08 2013 -0500

    Encourage verification of upstream cryptographic signatures
    
    Since devscripts 2.13.3 (see #610712), uscan has supported the ability
    to automatically verify upstream's cryptographic signatures if the
    signing key and URL to the signature is well-known.
    
    debian-policy should recommend that package maintainers regularly
    verify these signatures for new versions, and mention the files used.

diff --git a/policy.sgml b/policy.sgml
index dad8d23..ebe486f 100644
--- a/policy.sgml
+++ b/policy.sgml
@@ -2373,8 +2373,31 @@ endif
           distribution as a whole.
         </p>
 
-      </sect>
+	<p>
+	  If the package's upstream source offers detached
+	  cryptographic signatures of their source, it is recommended
+	  to use the <tt>pgpsigurlmangle</tt> option to locate the
+	  upstream signature file
+	  and <qref id="debianupstreamsigningkey"><tt>debian/usptream-signing-key.pgp</tt></qref>
+	  to indicate the acceptable signing key
+	  (see <manref name="uscan" section="1"> for details).
+	</p>
 
+      </sect>
+      <sect id="debianupstreamsigningkey">
+        <heading>Upstream signing key: <file>debian/upstream-signing-key.pgp</file></heading>
+	<p>
+	  If the package's upstream offers cryptographic signatures of
+	  their source, this optional, recommended file should contain
+	  a binary OpenPGP (RFC 4880) keyring consisting of all
+	  OpenPGP keys that the package maintainer considers
+	  acceptable to sign new upstream releases of the software
+	  (see <qref id="debianwatch"><tt>pgpsigurlmangle</tt>
+	  from <tt>debian/watch</tt></qref> for instructions on how to
+	  tell <tt>uscan</tt> how to find the signatures themselves
+	  when new versions are available).
+	</p>
+      </sect>
       <sect id="debianfiles">
 	<heading>Generated files list: <file>debian/files</file></heading>

Reply via email to