On Tue, 2016-04-12 at 21:14 +0900, Osamu Aoki wrote: > I assume "create" means "create a copy of the upstream-generated > signature" as foo_0.1.2.orig.tar.gz..asc which can be > verified by the keyring debian/upstream/signing-key.pgp in the older > package.
Correct. > I am a bit confused what kind of assurance it brings to the end user. If the user has a trust path to upstream, they can be sure that Debian hasn't modified the upstream tarball. I think we had more use cases but can't remember, hopefully dkg (CCed) remembers some of them. I expect it is mostly useful to Debian. I expect this will be useful for binary transparency efforts: https://pad.riseup.net/p/binary-transparency https://github.com/FreeBSDFoundation/binary-transparency-notes https://boingboing.net/2016/03/10/using-distributed-code-signatu.html > Also if a new upstream package is signed by a new upstream key, uscan > using old key will fail. ... Yes, this is expected and should result in the Debian maintainer investigating the situation and contacting upstream to clarify it. -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
_______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
