I second the request that this lintian check just be a warning, not an error.
Please also accept binary signature files--and I realize more than just lintian will have to change to support that. The GNU Project's files are signed with "gpg -b" to produce a binary ".sig" file for uploading to ftp.gnu.org. That site is the natural upstream repository for the bulk of GNU Project packages, and the ".sig" files on that site should be the canonical signatures for those packages. That would allow one master signature file for a package--the binary ".sig" file that I and other GNU Project maintainers upload to GNU's FTP site along with a package. Now that lintian is throwing an error if a ".orig.tar.gz.asc" file is missing, addressing this change is more important. I realize that packaging tools will also need to recognize and use a ".sig" file as an alternative to a ".asc" file. Multiple applications can create packages, so multiple bug reports might be necessary to make that change. In my case, I am using pdebuild. It did not recognize a ".sig" file that I created for a ".orig.tar.gz" file (I just tried after getting the lintian error). Running a command of the form "gpg --verify mypkg_orig.tar.gz.sig" sees that the signature is valid for the tarball. In the meantime, will anyone object to our using a lintian override for this? Thanks, Paul Hardy
