Hi, * Helmut Grohne <hel...@subdivi.de> [2023-08-10 06:43]:
When repacking, the upstream signature becomes useless and external parties can no longer verify it at ease. Including that upstream signature increases trust in the source shipped by Debian being good.
I don't think that problem is very relevant in practise.
On the one hand, the vast majority of upstreams I have encountered so far do not ship any signatures at all. Some upstreams do not even have an immutable release archive; Github (for example) generates TARs and ZIPs on the fly and changes the exact format from time to time. On the other hand, those upstream developers who care enough to go the extra mile with a meaningful [1] cryptographic signature, probably also pay more attention to the actual files they ship, making it less likely to require repacks in the first place. Cheers Timo [1] A signature is only meaningful if the signing key is kept secure. If you upload a GPG private key to your favorite code hoster and have it sign releases automatically, you have a very convenient workflow that achieves nothing at all, because the integrity of the release still depends on the integrity of the hosting platform. -- ⢀⣴⠾⠻⢶⣦⠀ ╭────────────────────────────────────────────────────╮ ⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │ ⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │ ⠈⠳⣄⠀⠀⠀⠀ ╰────────────────────────────────────────────────────╯
signature.asc
Description: PGP signature