Hi! On Tue, 2026-01-06 at 05:30:32 +0100, gregor herrmann wrote: > On Mon, 05 Jan 2026 14:30:00 -0500, Louis-Philippe Véronneau wrote: > > > > * debian-watch-does-not-check-openpgp-signature > > > > - last updated: 2018-12 > > > > - 35,725 entries in UDD > > > > - This tag was changed to Experimental because it was not really > > > > actionable (#916207). I feel this is outside of the scope of what a > > > > lintian tag should recommend. > > > I disagree. > > Hmm ok, let's keep this one then. > > :sadface: > > I think this is the lintian tag I hate the most, because (Meta)CPAN > doesn't support signatures, so I'm seeing this tag for each and > every update of a Perl package, and I can't do anything about it. > > I remember the times when I had "lintian-clean" packages, and > required this from new contributors. This ended with the invention > of debian-watch-does-not-check-openpgp-signature (and since then > many other questionable/unactionable tags).
Ah, I think that for upstream distribution sites that either do not have the support or refuse/obsolete OpenPGP signatures, those should then be excluded from this tag. For (Meta)CPAN a Perl distribution would instead be able to provide signatures via «cpansign» in the SIGNATURE file (over the MANIFEST file). I was thinking also about (AFAIR) pypi which obsoleted/banned new OpenPGP signatures, where if the python module is recent enough and known to be shipped from there then it could also exclude the tag. (Just checked now and found again <https://blog.pypi.org/posts/2023-05-23-removing-pgp/>.) Thanks, Guillem
