Marc Haber <[email protected]> writes: > On Fri, Feb 13, 2026 at 01:00:02AM +0100, Simon Josefsson wrote:
>> That would solve the problem, but it will be weaker. Upstream tarballs >> and signatures disappear or are modified over time, and more often that >> we like or even want to admit. Users won't generally be able to find >> and locate those upstream signature corresponding to whatever tarball >> ended up in Debian. If we store upstream tarballs, and verify their >> digital signatures, I think we should also store upstream digital >> signatures. > We do, don't we? Simon's point is that we do not store upstream signatures other than the very specific case of PGP signatures. Previously that was about the only case that matters, but increasingly that's not true. I think this was all a bit orthogonal to the point you were trying to make, although it does imply that we probably need a better way of thinking about upstream signatures more generally. -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
