Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: > I'd be happy to see us settle on one single location, and if folks think > that the .asc version is the better option, updating lintian to nag > about the other ones until they go away seems doable before we freeze > for jessie. I'll even file patches or do NMUs for packages that need > them if a lintian tag appears.
That would be my preference, if for no other reason than options are expensive to maintain and picking one good way to do something is usually better. However, I don't have strong feelings on the matter. > Thinking further, I wonder if we should also encourage packagers to > store the detached signature itself in the packaging directly (e.g. > maybe in debian/upstream/signature.asc), so that the upstream tarball > can be re-verified against the signing key even if the upstream archive > goes offline; maybe that's a separate issue. I think the level of benefit from this is low, since the source package is already signed by the Debian uploader and includes a signature on the tarball, but if the tools updated that file automatically (I'm thinking of gbp import-orig and the like), I certainly wouldn't object to including it. I probably wouldn't bother to download it and copy it into place myself, though. > That said, if a debian packager wants to include extra OpenPGP > certifications of moderate length, i don't think we should forbid them > from doing so (i can imagine a packager wanting to include their own > certification if they have made one, for example). Yes, agreed. >> I use: >> >> gpg --export --armor --export-options export-minimal <key> \ >> > debian/upstream/signing-key.asc > i think that's good advice, though i don't know whether it belongs in > debian-policy or developers-reference. developers-reference, probably. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87pplbnm05....@windlord.stanford.edu
