Hi Scott, Many people find the tag cumbersome, and some people think it should go away. At the same time, upstream sources are more trustworthy when verified; and that is in the project's overall interest. Could your concern be resolved by better naming?
I process the tag name (it has already been renamed once [1]) as "debian-watch-does-not-check-A-gpg-signature." Without a signature that is an objective fact. On Tue, Dec 11, 2018 at 5:18 AM Scott Kitterman <deb...@kitterman.com> wrote: > As designed, debian-watch-does-not-check-gpg-signature does not check if > upstream provides a GPG signature to make checking it possible. When I process the name as "debian-watch-does-not-check-THE-gpg-signature"---which is maybe the way you are reading it---it means the same as 'debian-watch-could-verify-download' but the tag does not behave like it. My suggestion would be to rename the tag to 'built-from-unverified-sources' or similar. What do you think? > when if there's no upstream signature, it's not at all a problem > the maintainer can fix. "Certainty: possible" seems much more reasonable to > me. The tag would continue to be of Certainty: certain. Kind regards, Felix [1] https://salsa.debian.org/lintian/lintian/commit/0cbebd4ba0b2a067383616e18981eeb9de5d7df2
