On Fri, Feb 13, 2026 at 01:00:02AM +0100, Simon Josefsson wrote:
Marc Haber <[email protected]> writes:
On Thu, Feb 12, 2026 at 06:25:07PM +0100, Simon Josefsson wrote:
Marc Haber <[email protected]> writes:
I THINK that we should recommend including the form that upstream
publishes with their signature.
Do you mean that generally, or more specifically 'PGP signature'?
Many upstream now sign their releases using Sigstore, Sigsum, SSH
Signatures and other non-PGP formats. I expect non-PGP to be more
common than PGP signatures relatively soon, if this hasn't already
happened (depending on what kind of upstreams you count).
It would be nice if Debian supported more formats for verifying upstream
signatures. Right now we just throw away many signatures. Bonus points
for storing and publishing the non-PGP formats too.
The nice thing about having the original upstream tarballs in our
archive is that we don't have to care about that. People can verify
that our tarballs are the same than upstream's and then check whatever
signature upstream chose to apply.
Oh, then I think I misunderstood you. Did you intend to recommend that
Debian do not store a copy of the upstream digital signature together
with the tarball at all?
Where did you read that?
There is some place where we need to stop, or should we mirror the
original author's pgp key as well?
I just find it elegant that there is a way to go from what Debian has in
the archive to the upstream web site and verify that both are the same.
If not, more scrutiny is recommended.
That would solve the problem, but it will be weaker. Upstream tarballs
and signatures disappear or are modified over time, and more often that
we like or even want to admit. Users won't generally be able to find
and locate those upstream signature corresponding to whatever tarball
ended up in Debian. If we store upstream tarballs, and verify their
digital signatures, I think we should also store upstream digital
signatures.
We do, don't we?
And support whatever upstream digital signature format used
(limited to widely implemented variants like PGP, SSH, Sigstore, Sigsum,
minisign, signify, ...).
as long as I dont have to work on that, okay with me.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
