Marc Haber <[email protected]> writes: > I THINK that we should recommend including the form that upstream > publishes with their signature.
Do you mean that generally, or more specifically 'PGP signature'? Many upstream now sign their releases using Sigstore, Sigsum, SSH Signatures and other non-PGP formats. I expect non-PGP to be more common than PGP signatures relatively soon, if this hasn't already happened (depending on what kind of upstreams you count). It would be nice if Debian supported more formats for verifying upstream signatures. Right now we just throw away many signatures. Bonus points for storing and publishing the non-PGP formats too. /Simon
signature.asc
Description: PGP signature
