Your message dated Sat, 23 May 2026 18:03:54 +0000
with message-id <[email protected]>
and subject line Bug#742552: fixed in developers-reference 14.10
has caused the Debian Bug report #742552,
regarding developers-reference should encourage verification of upstream
cryptographic signatures
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
742552: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742552
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: debian-policy
Severity: normal
Tags: patch
debian-policy should encourage verification of upstream cryptographic
signatures.
Since devscripts 2.13.3 (see #610712), uscan has supported the ability
to automatically verify upstream's cryptographic signatures if the
signing key and URL to the signature is well-known.
debian-policy should recommend that package maintainers regularly
verify these signatures for new versions, and mention the files used.
A proposed patch for debian-policy is attached.
commit f267cc2134197533bce3af8152aef15217967813
Author: Daniel Kahn Gillmor <[email protected]>
Date: Tue Dec 17 23:15:08 2013 -0500
Encourage verification of upstream cryptographic signatures
Since devscripts 2.13.3 (see #610712), uscan has supported the ability
to automatically verify upstream's cryptographic signatures if the
signing key and URL to the signature is well-known.
debian-policy should recommend that package maintainers regularly
verify these signatures for new versions, and mention the files used.
diff --git a/policy.sgml b/policy.sgml
index dad8d23..ebe486f 100644
--- a/policy.sgml
+++ b/policy.sgml
@@ -2373,8 +2373,31 @@ endif
distribution as a whole.
</p>
- </sect>
+ <p>
+ If the package's upstream source offers detached
+ cryptographic signatures of their source, it is recommended
+ to use the <tt>pgpsigurlmangle</tt> option to locate the
+ upstream signature file
+ and <qref id="debianupstreamsigningkey"><tt>debian/usptream-signing-key.pgp</tt></qref>
+ to indicate the acceptable signing key
+ (see <manref name="uscan" section="1"> for details).
+ </p>
+ </sect>
+ <sect id="debianupstreamsigningkey">
+ <heading>Upstream signing key: <file>debian/upstream-signing-key.pgp</file></heading>
+ <p>
+ If the package's upstream offers cryptographic signatures of
+ their source, this optional, recommended file should contain
+ a binary OpenPGP (RFC 4880) keyring consisting of all
+ OpenPGP keys that the package maintainer considers
+ acceptable to sign new upstream releases of the software
+ (see <qref id="debianwatch"><tt>pgpsigurlmangle</tt>
+ from <tt>debian/watch</tt></qref> for instructions on how to
+ tell <tt>uscan</tt> how to find the signatures themselves
+ when new versions are available).
+ </p>
+ </sect>
<sect id="debianfiles">
<heading>Generated files list: <file>debian/files</file></heading>
--- End Message ---
--- Begin Message ---
Source: developers-reference
Source-Version: 14.10
Done: Holger Levsen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
developers-reference, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <[email protected]> (supplier of updated developers-reference
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 May 2026 19:12:16 +0200
Source: developers-reference
Architecture: source
Version: 14.10
Distribution: unstable
Urgency: medium
Maintainer: Developers Reference Maintainers <[email protected]>
Changed-By: Holger Levsen <[email protected]>
Closes: 742552 1136791
Changes:
developers-reference (14.10) unstable; urgency=medium
.
[ Serafeim (Serafi) Zanikolas ]
* pkgs, tools: update adequate section, and recommend it from "Testing the
package". Closes: #1136791.
* best-pkging-practices: encourage automatic verification of upstream release
signatures. Closes: #742552.
.
[ Holger Levsen ]
* Update all .po files for changed strings in the English original.
Checksums-Sha1:
08c4e60cc6aadc8098314276e63695a6beab2133 2526 developers-reference_14.10.dsc
58cc0ba7d6b3bf988fc7d47aa5d977912d906642 583056
developers-reference_14.10.tar.xz
ffc2ac50e7bc002b03709412a8757e0908295846 8612
developers-reference_14.10_source.buildinfo
Checksums-Sha256:
68270436a70901f3c410af498086ad8d56cac6a9fa33da329e6c84b63e73c9d7 2526
developers-reference_14.10.dsc
1c556487a5f851ad3ae6c024a9a900f677ef2bad07a47f0a4fd09b9021b5d240 583056
developers-reference_14.10.tar.xz
23c88156a286c231784710a800cdf635e61a1dfb1253aae99a3cda3c2ab1075d 8612
developers-reference_14.10_source.buildinfo
Files:
0dc5feb51e7d18effb0d86025f1eddcb 2526 doc optional
developers-reference_14.10.dsc
fe50b7ffa5c09b30a41dab7a5269d222 583056 doc optional
developers-reference_14.10.tar.xz
9b5113e3c9061ec47b6e802bdef85771 8612 doc optional
developers-reference_14.10_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmoR6l8ACgkQCRq4Vgaa
qhxrnRAAtV9KKUr7E3k3K8Tc2k1wPOmODAvIB+fKjot8NQzVfJIl8DjpKfnN4xxb
/abDeeFQrrTpw2a0JW6+MmGDssHqz835cYUdtCvsU8/Bm/onHdXTrBH1fPswyslr
TIQksCkOn7praVKkrDrR9W7wCaYVYWML9Mq8b7gAGeNroQkihjnqW44mmCDO5Rtk
Ivld2C8mKgR0EmiPBhNZ+OKKAa3RKzEX0GvGkUhTFasIasbdD0VwWOX+Kt10kBXh
kqAesbckPBEUEnWFUbH1vHbXJ9yEujWQqrTrxWaQL++ENu3TC+j4Ri/FDjCLf/0n
/pOTRgQ7x4jwD01GGbsjth/iBVuQECNYurNOU2z0omzgNRVn5VAw/paJ5AmJRv2u
u7mu/BwcuVTezz85Z8lmM8H708DBYyhfZisGjhJz7FW0ooeTSW+tKA0Q6FAK/v4W
8qA5VvQWVMDL1rl6xfLGElGp7kFVc8MLzp3Er3umPeKxc5+O4Vt5sfjTuCDx+H4y
WxuDLlhahDVCEtz4OQnXqi7eNtApm59TLEXZvYLVZJciNhGu8Kv+4L6AkxHPAVYk
hH8vWz5HdzDdXRfl/xgEghkVDNxTGoWikNUsTxrCasgdRTBtLo/aMm5TC09DbFxu
IS07Um9jueSZJCAb/+CGbfeZF8enffWph0rieqoVLtNUEcjglLM=
=K44P
-----END PGP SIGNATURE-----
pgpmBkFexmKGH.pgp
Description: PGP signature
--- End Message ---
