Marc Haber <[email protected]> writes: > On Thu, Feb 12, 2026 at 06:25:07PM +0100, Simon Josefsson wrote: >>Marc Haber <[email protected]> writes: >>> I THINK that we should recommend including the form that upstream >>> publishes with their signature. >> >>Do you mean that generally, or more specifically 'PGP signature'? >> >>Many upstream now sign their releases using Sigstore, Sigsum, SSH >>Signatures and other non-PGP formats. I expect non-PGP to be more >>common than PGP signatures relatively soon, if this hasn't already >>happened (depending on what kind of upstreams you count). >> >>It would be nice if Debian supported more formats for verifying upstream >>signatures. Right now we just throw away many signatures. Bonus points >>for storing and publishing the non-PGP formats too. > > The nice thing about having the original upstream tarballs in our > archive is that we don't have to care about that. People can verify > that our tarballs are the same than upstream's and then check whatever > signature upstream chose to apply.
Oh, then I think I misunderstood you. Did you intend to recommend that Debian do not store a copy of the upstream digital signature together with the tarball at all? That would solve the problem, but it will be weaker. Upstream tarballs and signatures disappear or are modified over time, and more often that we like or even want to admit. Users won't generally be able to find and locate those upstream signature corresponding to whatever tarball ended up in Debian. If we store upstream tarballs, and verify their digital signatures, I think we should also store upstream digital signatures. And support whatever upstream digital signature format used (limited to widely implemented variants like PGP, SSH, Sigstore, Sigsum, minisign, signify, ...). /Simon
signature.asc
Description: PGP signature
