On Fri, Feb 12, 2021 at 08:59:12AM +0100, Raphael Hertzog wrote: > Control: block -1 by 876643 > > Hi, > > thanks for your quick answer! > > On Fri, 12 Feb 2021, Guillem Jover wrote: > > > If we assume that the archive is meant to store immutable content > > > under a given filename (and to me that requirement seems to be a good > > > idea), then we should question ourselves whether we really want to store > > > those signatures in a filename that's associated to the upstream version. > > > They should either be tied to the Debian revision (so that they can change > > > over time without any new upstream release) or be incorporated in the > > > Debian tarball. > > > > The upstream signatures are important to determine the provenance of > > the source at the time of packaging, just like the signatures on .dsc, > > both lose relevance once they hit an archive. > > I agree with this. Why do we want to upload them and store them forever > then? > > > This seems mostly a tooling problem TBH. > > Yeah, it would go a long way if pristine-tar would store the associated > signature and restore it as well. It's easy to forget to include it > when the uploads are not done by the same person.
It can, since version 1.41: debcheckout confget cd confget git checkout pristine-tar git checkout master git checkout debian/master pristine-tar checkout -s ../confget_2.3.4.orig.tar.xz.asc ../confget_2.3.4.orig.tar.xz gpg --verify ../confget_2.3.4.orig.tar.xz{.asc,} G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
signature.asc
Description: PGP signature