On 2015-06-18 02:31:57 +0000 (+0000), Clint Adams wrote: > No, in this particular case, upstream IS releasing source tarballs > and the packagers are refusing to use them for reasons I find > incomprehensible.
Well, for some of the packages in question where I'm involved upstream, we still aren't providing PGP-signatures for some of those tarballs (not even PGP-signed checksum lists). Some are uploaded to Launchpad and a release manager uploads a signature along with it, some are auto-published to other places by our build systems and sometimes a release manager sends a signed release announcement to a few mailing lists hopefully including strong checksums of the tarballs, but there are plenty where CI automation is building the tarballs (based on signed tags in a VCS of course) and uploading them without a corresponding signature. I'm planning to rectify that to some extent by having trusted systems in our build infrastructure create and upload signatures with them, but depending on a package maintainers trust preferences that may not be seen as a strong enough attestation. On the other hand, I run Debian testing and unstable on a lot of systems and have a fairly strong degree of faith in the automatic archive signing keys... we'd definitely be following similar measures to cross-sign, secure and rotate our automatic tarball signing keys. -- Jeremy Stanley
signature.asc
Description: Digital signature
