Hi, Currently dak requires signatures on .changes & .dsc uploads. .changes with signatures are publicly announced and then .dsc are published in the archive with signatures. .changes references .dsc.
All .dsc have Checksums-Sha256 for the files they reference, .dsc itself can be verified through strong checksum in Sources metadata, chained via InRelease to the strong debian archive key signature. The same is not true for signatures on .dsc themselves. Majority of .dsc use at least sha256 and can be successfully verified. But some use weak hash: 5 dsc signed using Hash: RIPEMD160 152 dsc signed using Hash: SHA1 And many of them cannot be verified using debian-keyring: 2,455 no public key 3 wrong key usage Lists of affected .dsc are published at https://people.canonical.com/~xnox/dsc-analysis/ due to size. This makes me wonder if signatures on uploaded or published .dsc have any value at all. Ultimately one should use apt secure to retrieve both .deb and .dsc; and verify .changes signature if one wants to figure out authorship. Should we upload sourceful NMU to eliminate SHA1, RIPEMD160, wrong-key-usage signatures in .dsc? Should we stop requiring signed .dsc on uploads? -- Regards, Dimitri.
