On Wed, 23 Aug 2017, Russ Allbery wrote: > Note that this Policy language is carefully written to make it perfectly > fine for uscan to support all the things it currently supports, since it > only talks about what Policy recommends the maintainer does. So don't > feel any obligation to change what uscan is doing on Policy's account > here.
Actually, the text in 4.1.0.0 might be doing too much. It reads: "If the upstream maintainer of the software provides OpenPGP signatures for new releases, including the information required for "uscan" to verify signatures for new upstream releases is also recommended. To do this, use the "pgpsigurlmangle" option in "debian/watch" to specify the location of the upstream signature, and include the key or keys used to sign upstream releases in the Debian source package as "debian/upstream/signing-key.asc". IMO, it should either not be mandating uscan internals, or it should be very clear about the exact subset of stuff we can use in debian/watch (version, etc). For example, I'd rather use opt="..., pgpmode=auto,..." instead of explicitly hardcoding a "pgpsigurlmangle". IMHO, just drop everything from "To do this..." to the end of that paragraph entirely. HOW one gets "uscan" to fetch and check upstream signatures is a job for the uscan(1) manpage. Alternatively, just mention "debian/watch", and to refer to the uscan documentation in package "devscripts". OTOH, if we really need to mandate a specific level of debian/watch support, the current text in policy needs work: it doesn't even tell me whether I can use version=3 (supported in oldstable), or version=4 (supported in oldstable-backports and stable), for example... -- Henrique Holschuh