On the question if this gbp.conf option is really needed or if use of signatures can be implied by the key: > > - upstream-signatures > > One can already figure this out by checking the existence of > debian/upstream/signing-key.asc. Why duplicate this here?
I wonder if we really can make this assumption? I think we can assume for sure that this file contains one or more keys that the Debian maintainer has checked and chosen to trust as being legit keys upstream uses for signing. But can we also assume it means that these keys are only for checking upstream tarball signatures, and not e.g. git commit or tag signatures? And that if this file exists, that it would mean that upstream always publishes signatures on every release immediately starting from the first new upstream import after this file was created? Maybe we can assume so, I am not sure. But we should maybe have it recorded as a design decision and assumption in the Debian Policy.
