Hi Guillem-- sorry for not not responding to this, somehow i think i missed it when it first came through (thanks to pabs for the nudge)
On Wed 2014-08-27 19:58:40 +0200, Guillem Jover wrote:
> Ah, hmmm, yeah make sense. It also does really make sense as an
> additional file alongside the others referenced from the .dsc
> metadata. As a minor detail, the .asc would not be included in the
> .changes file when the orig.tar is not included either in the upload.
Yes, i think that's correct.
> I'm thinking dpkg-source would automatically include it if it finds it
> side by side the orig.tar. But I'm not comfortable just adding it as is,
> I'd probably want to bump the minor version of the format. As this gets
> us to the problem that we currently conflate the .dsc file format version
> with the actual source format version.
i don't know what the implications are of bumping the minor version of
the format, but if you feel that's what you need to do, i've got no
problems with it.
> It probably does not make sense to very the signature on unpack and
> fail hard by default, because most probably the user will not have the
> signers key.
actually, the signers key should be present in
debian/upstream/signing-key.asc. i recognize that this may not be
acceptable for verification purposes in all cases, like if you just
fetched the packages and you haven't verified the debian source itself.
But if you've verified the debian package, you should be able to do
something like extracting the signing-key from the debian.tar.gz and
then verify the upstream signature on the tarball as a corroborative
approach.
> I'm not sure if even verifying as warning might make sense as default
> either if it's just going to annoy people at large. But I could see
> either a new option to make it verify it at all (and fail hard), or to
> turn the verify from possibly a warning into a fatal error.
would the presence of debian/upstream/signing-key.asc be a reasonable
signal to distinguish between warnings and errors? fwiw, i'd be fine
with just starting as a warning, and we can think about making things
stricter once we have data in place.
> Does this sound good(ish)?
sounds good to me, yes. thanks for your work on this.
regards,
--dkg
signature.asc
Description: PGP signature
