Package: devscripts
Version: 2.23.3
Severity: wishlist
I know if you're looking at the subject line alone you'll think I'm proposing
introducing a security vulnerability, but let me explain.
There are some problems with storing an upstream signing key inside the
package. It might get stale, not incorporating additional subkeys necessary for
signature verification or revocations. Also, it requires manual work on the
part of the maintainer and can't be done automatically.
Folks outside the OpenPGP ecosystem might not know this, but the Web of Trust
is now not the only way of doing things. There are ways, like Web Key
Directory, DANE, and LDAP, to not only discover an OpenPGP key, but also verify
that it really belongs to the person in the user ID.
First, we save in some metadata file somewhere (debian/upstream/metadata?) the
user IDs (aka names and email addresses) of upstream, or perhaps mappings of
key IDs to email addresses. When uscan goes to verify the signature, it will
know the key ID of the signer but might not know their user ID, so it will look
in the mapping table.
Then it will fetch the key using an authenticated method and use it to verify
the signature.
I hope that makes sense. Unfortunately I only know C, so I don't think I'll be
able to contribute this.
Thanks
-- Package-specific info:
--- /etc/devscripts.conf ---
Empty.
--- ~/.devscripts ---
DEBSIGN_KEYID=A23F3CA5BD39D9EB18AC7F35B3F4DD2861F4CDBA!
DEBSIGN_MAINT="John Scott"
BTS_MAIL_READER="evolution %s"
BTS_INTERACTIVE=yes
BTS_CACHE=yes
BTS_CACHE_MODE=full
DEBCOMMIT_SIGN_TAGS=yes
DEBCOMMIT_SIGN_COMMITS=yes
WHOUPLOADS_DATE=yes
DSCVERIFY_KEYRINGS=/home/john/.gnupg/pubring.kbx
DEBCHANGE_RELEASE_HEURISTIC=changelog
DEBCHANGE_MULTIMAINT_MERGE=yes
DEBCHANGE_MAINTTRAILER=yes
-- System Information:
Debian Release: 12.0
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (2, 'unstable-debug'),
(2, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, arm64
Kernel: Linux 6.1.0-7-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER, TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages devscripts depends on:
ii dpkg-dev 1.21.21
ii fakeroot 1.31-1.1
ii file 1:5.44-3
ii gnupg 2.2.40-1.1
ii gpgv 2.2.40-1.1
ii libc6 2.36-8
ii libfile-dirlist-perl 0.05-3
ii libfile-homedir-perl 1.006-2
ii libfile-touch-perl 0.12-2
ii libfile-which-perl 1.27-2
ii libipc-run-perl 20220807.0-1
ii libmoo-perl 2.005005-1
ii libwww-perl 6.68-1
ii patchutils 0.4.2-1
ii perl 5.36.0-7
ii python3 3.11.2-1
ii sensible-utils 0.0.17+nmu1
ii wdiff 1.2.2-5
Versions of packages devscripts recommends:
ii apt 2.6.0
ii curl 7.88.1-7
ii dctrl-tools 2.24-3+b1
ii debian-keyring 2022.12.24
ii dput 1.1.3
ii equivs 2.3.1
ii libdistro-info-perl 1.5
ii libdpkg-perl 1.21.21
ii libencode-locale-perl 1.05-3
ii libgit-wrapper-perl 0.048-2
ii libgitlab-api-v4-perl 0.26-3
ii liblist-compare-perl 0.55-2
ii liblwp-protocol-https-perl 6.10-1
ii libsoap-lite-perl 1.27-3
ii libstring-shellquote-perl 1.04-3
ii libtry-tiny-perl 0.31-2
ii liburi-perl 5.17-1
ii licensecheck 3.3.5-1
ii lintian 2.116.3
ii man-db 2.11.2-2
ii patch 2.7.6-7
ii pristine-tar 1.50
ii python3-apt 2.5.3
ii python3-debian 0.1.49
ii python3-magic 2:0.4.26-3
ii python3-requests 2.28.1+dfsg-1
ii python3-unidiff 0.7.3-1
ii python3-xdg 0.28-2
ii strace 6.1-0.1
ii unzip 6.0-28
ii wget 1.21.3-1+b2
ii xz-utils 5.4.1-0.2
Versions of packages devscripts suggests:
pn adequate
ii at 3.2.5-1+b1
ii autopkgtest 5.28
ii bls-standalone 0.20151231+b1
ii build-essential 12.9
ii check-all-the-things 2017.05.20+nmu1
pn cvs-buildpackage
ii debhelper 13.11.4
ii diffoscope 238
ii disorderfs 0.5.11-3
ii dose-extra 7.0.0-1+b2
ii duck 0.14.1
pn elpa-devscripts
ii faketime 0.9.10-2.1
ii gnuplot-x11 [gnuplot] 5.4.4+dfsg1-2+b2
ii