On Mon 2017-08-07 09:40:22 -0700, Russ Allbery wrote: > In an ideal world, we would have a documented set of metadata for finding > upstream releases, of which uscan is just one implementation, and document > that in Policy.
In an ideal world, uscan would be able to verify signed git tags and
include the diff between the orig.tar.gz and a shallow clone of the git
repo as a patch to allow verification without history ;)
> This patch doesn't attempt to do that; it tries to find a compromise
> between the current Policy language ("include a watch file for uscan")
> and specifying the location of the upstream signing keys, while
> deferring all of the details to the uscan documentation.
i think this is a sensible approach. thanks for working on it, Russ.
> + If the upstream maintainer of the software provides PGP signatures
This should probably be s/PGP/OpenPGP/
all the rest looks good to me. I'm also happy to second it, if needed.
--dkg
signature.asc
Description: PGP signature
