On 12/18/2013 09:06 AM, Osamu Aoki wrote: > On Tue, Dec 17, 2013 at 11:41:01PM -0500, Daniel Kahn Gillmor wrote: >> The maint-guide should recommend that package maintainers regularly >> verify these signatures for new versions, and mention the files used. > > I agree.
great, thanks for the prompt followup!
>> A proposed patch for maint-guide is attached.
>
> Thanks I will consider. I think what you wish to add is worth doing but
> adding a new section <section id="upstreamsigningkey"> here seems to be
> irregular. I want everything to fit in a watch file section. Let me
> think. (Also, text can be a bit shorter with pointers.)
shorter is good :) I broke out the upstream-signing-key.pgp file as a
separate section because that part of the maintainer's guide seems to
have a separate section per file, and because it's conceivable that the
key could be used in other contexts besides debian/watch.
for example, over on #debian-qa, helmut proposed:
>> would it be possible to include the upstream signature in the debian
>> source package? I mean we do have multiple-tarball in 3.0, so maybe
>> it can be hacked into allowing auxillary .sig files?
so debian/upstream-signing-key.pgp could be used to verify that, if we
were to ship such a thing.
Anyway, however you want to arrange it in the maint-guide would be great.
Thanks for maintaining the guide for us maintainers :)
--dkg
signature.asc
Description: OpenPGP digital signature
