Package: git-debpush Severity: wishlist Hi!
Some upstreams provide PGP signatures of 'git-archive' tarballs, and when tag2upload synthesize the exact same tarball, it would make sense to have tag2upload include the upstream PGP signature into the upload. As far as I know, this is impossible today, and I couldn't find a bug report tracking this. Supporting this would fix lintian warnings that *.orig.tar.asc is not included when debian/upstream/signing-key.asc is part of the package. Having the upstream signing key in that file is useful for 'uscan' to verify downloaded artifacts, which may include PGP signed git tags. This COULD be implemented by supporting pristine-tar, since pristine-tar supports storing the upstream PGP signature. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106071 I believe supporting upstream PGP signatures in uploads is orthogonal to pristine-tar, though, because: 1) The pristine-tar branch is designed to provide tarballs which do not match tag2upload synthesized *.orig.tar.gz tarballs. 2) People may want to support uploading a *.orig.tar.gz.asc without adopting the pristine-tar workflow. So here is a bug report to see if it is worthwile to support this in the first place, and in the second place, see if it make sense to support without pristine-tar. What do you think? /Simon
signature.asc
Description: PGP signature
