Package: lintian Severity: wishlist Daniel Kahn Gillmor did a fantastic job in implementing PGP verification of upstream source through uscan (bug #610712). A new option called pgpsigurlmangle was added to the the watch file opts= to generated the upstream URL of an PGP signature. This signature is automatically downloaded and verified against a keyring stored in debian/upstream-signing-key.pgp
This approach is similar to the opensuse-factory build time verification of GPG signatures but done by Debian during the download of the upstream tarball. Now it would be nice when this feature would actually be used to make the verification process during the packaging of upstream software slightly better. It is not meant to replace the review of the upstream source code but allows to verify that not a third party modified the code after the release against the will of upstream. We all know the phpmyadmin, unrealircd or proftpd debacle (only to mention some of them). This would at least make it a lot harder for an attacker to get such code to a wider audience through distributions like Debian. Of course, not all upstream distributions provide such signatures but informing Debian Developers about the possibility to check those can harden some packages. This in result may lead to some Developers requesting such signatures from upstream. It is an process which needs time but must be started somewhere. A pedantic level check for the previously mentioned characteristics (pgpsigurlmangle in watch and debian/upstream-signing-key.pgp) seems to be the right choice because it is not required by the policy and may not provided by upstream. So it looks to me slightly like no-upstream-changelog. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
