On Fri, Feb 13, 2026 at 08:35:51AM -0800, Russ Allbery wrote:
Marc Haber <[email protected]> writes:
On Fri, Feb 13, 2026 at 01:00:02AM +0100, Simon Josefsson wrote:
That would solve the problem, but it will be weaker. Upstream tarballs
and signatures disappear or are modified over time, and more often that
we like or even want to admit. Users won't generally be able to find
and locate those upstream signature corresponding to whatever tarball
ended up in Debian. If we store upstream tarballs, and verify their
digital signatures, I think we should also store upstream digital
signatures.
We do, don't we?
Simon's point is that we do not store upstream signatures other than the
very specific case of PGP signatures.
Well trolled.
Previously that was about the only
case that matters, but increasingly that's not true.
And at the same time we're moving away from source tarballs. Do
upstreams put Non-OpenPGP Signatures on their release tags?
I think this was all a bit orthogonal to the point you were trying to
make, although it does imply that we probably need a better way of
thinking about upstream signatures more generally.
Or decide tha we stopped caring.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
