Hi!
On Fri, 2021-04-02 at 13:38:51 +0200, Guillem Jover wrote:
> On Fri, 2021-03-26 at 10:13:25 +0100, Christoph Biedl wrote:
> > However, I uncertain whether is really worth the efforts to maintain
> > d/u/s-k, or more precisely, ping maintainers to do so. Personally, I
> > really like it when us
[ CCing Daniel. ]
On Fri, 2021-03-26 at 17:31:16 +0100, Ansgar wrote:
> On Fri, 2021-03-26 at 09:06 -0700, Russ Allbery wrote:
> > I'm not all that familiar with the intended semantics of OpenPGP key
> > expirations, but intuitively I think a signature made before the
> > expiration should be cons
Hi!
[ Ccing Daniel, as he proposed the shipping of upstream signatures, so
leaving full context. ]
On Fri, 2021-03-26 at 10:13:25 +0100, Christoph Biedl wrote:
> a few days ago, I ran uscan on a package where I knew there was a new
> upstream version - just to encounter an validation error sinc
On Fri, Mar 26, 2021 at 9:15 PM Timo Röhling wrote:
> It's the same for me: the only package I maintain where upstream signs their
> releases is the package where I am also the author. And I really don't think
> that it provides any additional value for Debian in this particular
> constellation; I
On 2021-03-26 Christoph Biedl wrote:
> a few days ago, I ran uscan on a package where I knew there was a new
> upstream version - just to encounter an validation error since the
> keys in debian/upstream/signing-key.asc had expired.
[...]
> Another about 40 distinct keys will expire within the nex
Russ Allbery wrote...
> I think there's a bit of subtlety here in that if upstream uses a key with
> an expiration that they periodically extend (to provide a time-based
> cut-off if they lose control of the key for whatever reason, for
> instance), and that package is rarely updated because it's
Timo Röhling writes:
> * Russ Allbery [2021-03-26 13:01]:
>> If this were the case, it would be fine to re-sign *.dsc files, but
>> there has been quite a lot of opposition to that in the past. The
>> upstream signing key is at least as useful as the signature on the
>> *.dsc file, for exactly
* Russ Allbery [2021-03-26 13:01]:
Personally, I'd be happy to drop the upstream signing keys from all of my
packages and save a bit of work. I never use them as the package
maintainer because I'm the only upstream of my packaging that signs
packages, and therefore I already know the tarballs a
* Russ Allbery [2021-03-26 13:01]:
If this were the case, it would be fine to re-sign *.dsc files, but there
has been quite a lot of opposition to that in the past. The upstream
signing key is at least as useful as the signature on the *.dsc file, for
exactly the same reasons.
I do not underst
Timo Röhling writes:
> Once the package has been uploaded, it does no longer make a difference
> whether or not the upstream package was signed in the first place: any
> package will be protected by the Debian archive keys anyway.
If this were the case, it would be fine to re-sign *.dsc files, b
On 2021-03-26 09:35:31 -0700 (-0700), Russ Allbery wrote:
[...]
> We do have a trusted timestamp for the point at which the upstream
> tarball and signature were uploaded to the Debian archive, though,
> so if the key had not yet expired at that point, I think we can
> infer it wasn't expired when
* Russ Allbery [2021-03-26 09:35]:
We do have a trusted timestamp for the point at which the upstream tarball
and signature were uploaded to the Debian archive, though, so if the key
had not yet expired at that point, I think we can infer it wasn't expired
when the signature was made.
Once the
Ansgar writes:
> On Fri, 2021-03-26 at 09:06 -0700, Russ Allbery wrote:
>> I'm not all that familiar with the intended semantics of OpenPGP key
>> expirations, but intuitively I think a signature made before the
>> expiration should be considered valid, even if the key has now expired
>> and thus
On Fri, 2021-03-26 at 09:06 -0700, Russ Allbery wrote:
> I'm not all that familiar with the intended semantics of OpenPGP key
> expirations, but intuitively I think a signature made before the
> expiration should be considered valid, even if the key has now
> expired and thus shouldn't be used to m
Christoph Biedl writes:
> Of course I understand there are various reasons why this happens, and
> several are not the maintainer's fault. But at least in some cases it's
> obvious the maintainers didn't care: When there has been an upload with
> a new upstream version released after the expirati
Christoph Biedl wrote...
> PS: Those who want to argue lintian should for check for such expired
> key, I couldn't agree more. Please read the discussion in #985793 first.
Sorry, that should have been #964971.
signature.asc
Description: PGP signature
Hello,
a few days ago, I ran uscan on a package where I knew there was a new
upstream version - just to encounter an validation error since the
keys in debian/upstream/signing-key.asc had expired.
After that, things escalated a little, and eventually I wrote a script
that downloads d/u/s-k for ea
17 matches
Mail list logo
