Package: git-buildpackage Version: 0.8.4 Severity: wishlist Dear Maintainer,
`gpg import-orig --upstream-vcs-tag` provides a nice way to preserve the upstream VCS tree up to the most recent tag. However, signed upstream tags, when present, are currently not verified. It would be nice to provide an option for automatic tag verification using the armored keyring from debian/upstream/signing-key.asc, to match uscan(1) signature verification logic. In cases where upstream generates tarballs based on VCS tags, maintainers could then easily avoid downloading upstream tarballs altogether while 1/ preserving the upstream VCS tree, and 2/ still being able to ensure upstream code integrity. Thanks for maintaining gbp! -- Guilhem.
signature.asc
Description: PGP signature
