On Tue, Dec 17, 2013 at 11:22:38PM -0500, Daniel Kahn Gillmor wrote: > Package: debian-policy > Severity: normal > Tags: patch > > debian-policy should encourage verification of upstream cryptographic > signatures. > > Since devscripts 2.13.3 (see #610712), uscan has supported the ability > to automatically verify upstream's cryptographic signatures if the > signing key and URL to the signature is well-known. > > debian-policy should recommend that package maintainers regularly > verify these signatures for new versions, and mention the files used.
Hello Daniel, While I agree that verification of upstream cryptographic signatures is important, your patch mostly documents a tool to perform this task, which is not something which belongs to policy in general. Also policy is supposed to document commong practices, so it might be a bit too soon to document debian/upstream-signing-key.pgp. Maybe at this stage, the recommendation would be better placed in developers-reference. > A proposed patch for debian-policy is attached. > commit f267cc2134197533bce3af8152aef15217967813 > Author: Daniel Kahn Gillmor <d...@fifthhorseman.net> > Date: Tue Dec 17 23:15:08 2013 -0500 > > Encourage verification of upstream cryptographic signatures > > Since devscripts 2.13.3 (see #610712), uscan has supported the ability > to automatically verify upstream's cryptographic signatures if the > signing key and URL to the signature is well-known. > > debian-policy should recommend that package maintainers regularly > verify these signatures for new versions, and mention the files used. > > diff --git a/policy.sgml b/policy.sgml > index dad8d23..ebe486f 100644 > --- a/policy.sgml > +++ b/policy.sgml > @@ -2373,8 +2373,31 @@ endif > distribution as a whole. > </p> > > - </sect> > + <p> > + If the package's upstream source offers detached > + cryptographic signatures of their source, it is recommended > + to use the <tt>pgpsigurlmangle</tt> option to locate the > + upstream signature file > + and <qref > id="debianupstreamsigningkey"><tt>debian/usptream-signing-key.pgp</tt></qref> > + to indicate the acceptable signing key > + (see <manref name="uscan" section="1"> for details). > + </p> > > + </sect> > + <sect id="debianupstreamsigningkey"> > + <heading>Upstream signing key: > <file>debian/upstream-signing-key.pgp</file></heading> > + <p> > + If the package's upstream offers cryptographic signatures of > + their source, this optional, recommended file should contain > + a binary OpenPGP (RFC 4880) keyring consisting of all > + OpenPGP keys that the package maintainer considers > + acceptable to sign new upstream releases of the software > + (see <qref id="debianwatch"><tt>pgpsigurlmangle</tt> > + from <tt>debian/watch</tt></qref> for instructions on how to > + tell <tt>uscan</tt> how to find the signatures themselves > + when new versions are available). > + </p> > + </sect> > <sect id="debianfiles"> > <heading>Generated files list: <file>debian/files</file></heading> > -- Bill. <ballo...@debian.org> Imagine a large red swirl here. -- To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140322161952.GA10855@yellowpig
