Control: clone 732445 -2 Control: reassign -2 developers-reference Control: retitle -2 developers-reference should encourage verification of upstream cryptographic signatures Control: retitle 732445 debian-policy should encourage verification of upstream cryptographic signatures
Hi Bill-- On Sat 2014-03-22 12:19:52 -0400, Bill Allombert wrote: > While I agree that verification of upstream cryptographic signatures > is important, your patch mostly documents a tool to perform this > task, which is not something which belongs to policy in general. > Also policy is supposed to document commong practices, so it might > be a bit too soon to document debian/upstream-signing-key.pgp. You're quite right about my original bug report having been premature and over-specific for debian-policy; sorry about that. The current preferred location is now debian/upstream/signing-key.pgp (binary form) or debian/upstream/signing-key.asc (ascii-armored). And i agree with you that the specifics of how it's done might not need to be in policy. However, as a matter of policy debian really should explicitly encourage developers to check whatever cryptographic verifications are offered by upstream, via whatever methods are available. And the use of debian/upstream/signing-key.* is becoming more common: http://codesearch.debian.net/search?q=signing-key.pgp shows over 370 hits, probably at least a hundred packages, including important packages like apache2 and openssh and libgcrypt11. So i'm leaving the policy bug open because i think it's worth mentioning the suggestion. This is useful for both debian and our upstreams. So i'm leaving this bug open with a plea for simpler/more generic text that encourages developers to do cryptographic verification, but i'm not sure what section of policy that should be in, if it's not concretely tied to debian/watch the way this specific patch was. any suggestions? i'm happy to write a couple sentences if someone wants to point me at the right section or subsection for context. > Maybe at this stage, the recommendation would be better placed in > developers-reference. thanks, that's a good idea. i've cloned the bug to suggest its inclusion in developers-reference, where the specific and concrete language is probably more appropriate. --dkg
pgpY74EQa76uP.pgp
Description: PGP signature
