On Thu, Feb 12, 2026 at 06:25:07PM +0100, Simon Josefsson wrote:
Marc Haber <[email protected]> writes:
I THINK that we should recommend including the form that upstream
publishes with their signature.
Do you mean that generally, or more specifically 'PGP signature'?
Many upstream now sign their releases using Sigstore, Sigsum, SSH
Signatures and other non-PGP formats. I expect non-PGP to be more
common than PGP signatures relatively soon, if this hasn't already
happened (depending on what kind of upstreams you count).
It would be nice if Debian supported more formats for verifying upstream
signatures. Right now we just throw away many signatures. Bonus points
for storing and publishing the non-PGP formats too.
The nice thing about having the original upstream tarballs in our
archive is that we don't have to care about that. People can verify that
our tarballs are the same than upstream's and then check whatever
signature upstream chose to apply.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
