On Wed, Oct 05, 2016 at 09:55:08PM +0200, Guilhem Moulin wrote:
> Package: git-buildpackage
> Version: 0.8.4
> Severity: wishlist
>
> Dear Maintainer,
>
> `gpg import-orig --upstream-vcs-tag` provides a nice way to preserve the
> upstream VCS tree up to the most recent tag. However, signed upstream
> tags, when present, are currently not verified. It would be nice to
> provide an option for automatic tag verification using the armored
> keyring from debian/upstream/signing-key.asc, to match uscan(1)
> signature verification logic.
>
> In cases where upstream generates tarballs based on VCS tags,
> maintainers could then easily avoid downloading upstream tarballs
> altogether while 1/ preserving the upstream VCS tree, and 2/ still being
> able to ensure upstream code integrity.
That makes a lot of sense. I'm not a heavy --upstream-vcs-tag user so
tested patches (preferably with a testcase [1]) would be nice!
Cheers,
-- Guido
[1]: a simple test in tests/component would be sufficient to test this
behaviour at all
