tags 742552 + patch thanks hi,
this bug was originally cloned off policy bug #732445, which has been long fixed. please find attached a patch for devref, to (i) encourage the use of the sig verification functionality, when applicable, (ii) point to Policy for details on how to use it. (this seems backwards to me: ideally, devref would have the details and Policy would link to it, but nevermind) thanks, serafi
From 764e660d684f4fc86c650b55927e34bb91ef5cdf Mon Sep 17 00:00:00 2001 From: "Serafeim (Serafi) Zanikolas" <[email protected]> Date: Tue, 19 May 2026 21:20:19 +0200 Subject: [PATCH] best-pkging-practices: encourage automatic verification of upstream release signatures --- source/best-pkging-practices.rst | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/source/best-pkging-practices.rst b/source/best-pkging-practices.rst index 3d1fd75..3dea1c4 100644 --- a/source/best-pkging-practices.rst +++ b/source/best-pkging-practices.rst @@ -554,8 +554,13 @@ is good news! Best practices around security ================================================================================================================================ -A set of security suggestions related to packaging can be found at -https://wiki.debian.org/Hardening. +When an upstream publishes a cryptographic signature for every new release, you +should setup ``uscan`` to automatically verify the latter. For details, refer to +the section on ``Upstream source location: "debian/watch"`` in the The Debian +Policy Manual. + +https://wiki.debian.org/Hardening has suggestions on how to build security +hardened executables. .. _bpp-debian-maint-scripts: -- 2.47.3
signature.asc
Description: PGP signature
