Package: devscripts Version: 2.23.3 Severity: wishlist I know if you're looking at the subject line alone you'll think I'm proposing introducing a security vulnerability, but let me explain.
There are some problems with storing an upstream signing key inside the package. It might get stale, not incorporating additional subkeys necessary for signature verification or revocations. Also, it requires manual work on the part of the maintainer and can't be done automatically. Folks outside the OpenPGP ecosystem might not know this, but the Web of Trust is now not the only way of doing things. There are ways, like Web Key Directory, DANE, and LDAP, to not only discover an OpenPGP key, but also verify that it really belongs to the person in the user ID. First, we save in some metadata file somewhere (debian/upstream/metadata?) the user IDs (aka names and email addresses) of upstream, or perhaps mappings of key IDs to email addresses. When uscan goes to verify the signature, it will know the key ID of the signer but might not know their user ID, so it will look in the mapping table. Then it will fetch the key using an authenticated method and use it to verify the signature. I hope that makes sense. Unfortunately I only know C, so I don't think I'll be able to contribute this. Thanks -- Package-specific info: --- /etc/devscripts.conf --- Empty. --- ~/.devscripts --- DEBSIGN_KEYID=A23F3CA5BD39D9EB18AC7F35B3F4DD2861F4CDBA! DEBSIGN_MAINT="John Scott" BTS_MAIL_READER="evolution %s" BTS_INTERACTIVE=yes BTS_CACHE=yes BTS_CACHE_MODE=full DEBCOMMIT_SIGN_TAGS=yes DEBCOMMIT_SIGN_COMMITS=yes WHOUPLOADS_DATE=yes DSCVERIFY_KEYRINGS=/home/john/.gnupg/pubring.kbx DEBCHANGE_RELEASE_HEURISTIC=changelog DEBCHANGE_MULTIMAINT_MERGE=yes DEBCHANGE_MAINTTRAILER=yes -- System Information: Debian Release: 12.0 APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (2, 'unstable-debug'), (2, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, arm64 Kernel: Linux 6.1.0-7-amd64 (SMP w/2 CPU threads; PREEMPT) Kernel taint flags: TAINT_USER, TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages devscripts depends on: ii dpkg-dev 1.21.21 ii fakeroot 1.31-1.1 ii file 1:5.44-3 ii gnupg 2.2.40-1.1 ii gpgv 2.2.40-1.1 ii libc6 2.36-8 ii libfile-dirlist-perl 0.05-3 ii libfile-homedir-perl 1.006-2 ii libfile-touch-perl 0.12-2 ii libfile-which-perl 1.27-2 ii libipc-run-perl 20220807.0-1 ii libmoo-perl 2.005005-1 ii libwww-perl 6.68-1 ii patchutils 0.4.2-1 ii perl 5.36.0-7 ii python3 3.11.2-1 ii sensible-utils 0.0.17+nmu1 ii wdiff 1.2.2-5 Versions of packages devscripts recommends: ii apt 2.6.0 ii curl 7.88.1-7 ii dctrl-tools 2.24-3+b1 ii debian-keyring 2022.12.24 ii dput 1.1.3 ii equivs 2.3.1 ii libdistro-info-perl 1.5 ii libdpkg-perl 1.21.21 ii libencode-locale-perl 1.05-3 ii libgit-wrapper-perl 0.048-2 ii libgitlab-api-v4-perl 0.26-3 ii liblist-compare-perl 0.55-2 ii liblwp-protocol-https-perl 6.10-1 ii libsoap-lite-perl 1.27-3 ii libstring-shellquote-perl 1.04-3 ii libtry-tiny-perl 0.31-2 ii liburi-perl 5.17-1 ii licensecheck 3.3.5-1 ii lintian 2.116.3 ii man-db 2.11.2-2 ii patch 2.7.6-7 ii pristine-tar 1.50 ii python3-apt 2.5.3 ii python3-debian 0.1.49 ii python3-magic 2:0.4.26-3 ii python3-requests 2.28.1+dfsg-1 ii python3-unidiff 0.7.3-1 ii python3-xdg 0.28-2 ii strace 6.1-0.1 ii unzip 6.0-28 ii wget 1.21.3-1+b2 ii xz-utils 5.4.1-0.2 Versions of packages devscripts suggests: pn adequate <none> ii at 3.2.5-1+b1 ii autopkgtest 5.28 ii bls-standalone 0.20151231+b1 ii build-essential 12.9 ii check-all-the-things 2017.05.20+nmu1 pn cvs-buildpackage <none> ii debhelper 13.11.4 ii diffoscope 238 ii disorderfs 0.5.11-3 ii dose-extra 7.0.0-1+b2 ii duck 0.14.1 pn elpa-devscripts <none> ii faketime 0.9.10-2.1 ii gnuplot-x11 [gnuplot] 5.4.4+dfsg1-2+b2 ii how-can-i-help 17 ii libauthen-sasl-perl 2.1600-3 pn libdbd-pg-perl <none> ii libfile-desktopentry-perl 0.22-3 ii libnet-smtps-perl 0.10-2 pn libterm-size-perl <none> ii libtimedate-perl 2.3300-2 ii libyaml-syck-perl 1.34-2+b1 ii mailutils [mailx] 1:3.15-4 ii mmdebstrap 1.3.3-6.1 pn mozilla-devscripts <none> pn mutt <none> ii openssh-client [ssh-client] 1:9.2p1-2 ii piuparts 1.1.7 pn postgresql-client <none> pn pristine-lfs <none> ii quilt 0.67+really0.66-1 pn ratt <none> ii reprotest 0.7.23 pn svn-buildpackage <none> pn w3m <none> -- no debconf information
signature.asc
Description: This is a digitally signed message part
smime.p7s
Description: S/MIME cryptographic signature