Package: general Severity: normal User: de...@kali.org Usertags: origin-kali X-Debbugs-Cc: hert...@debian.org, debian-d...@lists.debian.org Control: affects -1 ftp.debian.org dpkg-dev
Hi people, After having been bitten (in Kali) by failures to import Debian packages because a PGP signature file has been modified [1], this lead me to think about this problem space and I concluded that the way we are storing such signatures is not appropriate. Those files are not really meant to be immutable: - signing keys can expire and be revoked, upstream might want to update signatures of already released tarballs - the set of "upstream release managers" might evolve over time and the official signature to use might change... If we assume that the archive is meant to store immutable content under a given filename (and to me that requirement seems to be a good idea), then we should question ourselves whether we really want to store those signatures in a filename that's associated to the upstream version. They should either be tied to the Debian revision (so that they can change over time without any new upstream release) or be incorporated in the Debian tarball. After all the key to verify those signatures is already stored in the Debian tarball (when you use the uscan feature to verify those signatures), so why not store the signature there as well? I originally filed this in https://bugs.debian.org/949962 against ftp.debian.org but the bug got closed because it's not really the responsibility of ftpmasters to change this. So I'm starting a wider discussion to gather feedback of all interested parties (at least Guillem as dpkg maintainer). I won't drive this much further but I wanted to have it properly recorded and considered. Cheers, [1] For details it happened in dbus-glib: https://snapshot.debian.org/package/dbus-glib/0.110-2/ -> it has .asc file https://snapshot.debian.org/package/dbus-glib/0.110-3/ -> no .asc https://snapshot.debian.org/package/dbus-glib/0.110-4/ -> no .asc https://snapshot.debian.org/package/dbus-glib/0.110-5/ -> it has a different .asc file