On Wed, Dec 04, 2024 at 08:57:31PM +0100, Jochen Sprickerhof wrote: > > I'm not sure what the correct course of action here, making that check > > optional? Disabled or enabled by default, with a way to override it? > > I think making it a warning would make sense. Do you want to send a MR?
The signature on dak's input files (.changes, .dsc) is checked for validity exactly once: At package acceptance time. Afterwards there is no guarantee whatsoever that anyone is able to validate the result. Keys come and go from the keyring. If we want to do some verification in order not to trust the mirrors/CDN in between, we can ship the archive keyrings over time and try to chain back to the relevant index signatures. But that's a much bigger change. Somehow I never really had dscverify succeed for me anyhow. The debian-keyring package is only infrequently updated, one'd need to fetch the current keyring via rsync from the main server. So I'm quite dubious about this feature in debsnap. :/ Kind regards Philipp Kern
