On Thu, Feb 11, 2021 at 09:59:42PM +0100, Raphaƫl Hertzog wrote: > Those files are not really meant to be immutable: > - signing keys can expire and be revoked, upstream might want to update > signatures of already released tarballs > - the set of "upstream release managers" might evolve over time and the > official signature to use might change... > As far as we're concerned they are immutable, they are the signature of the tarball at the time that tarball was uploaded to debian. There's no reason for that to change without the tarball itself changing, at which point both filenames change.
Cheers, Julien