Package: devscripts Version: 2.22.2 Severity: wishlist Control: block 1016087 by -1
Hi! The debdiff command can compare a couple of Debian source packages (.dsc), but it needs to unpack them first with dpkg-source. That command will check the checksums and the signatures. The problem is that letting dpkg-source verify the signatures can be confusing for users when we are sure the provenance of the .dsc is from a signed and verified Debian repository, as the signatures or the keys that made them might have expired, or been revoked, the keys might be using weak algorithms, or the keys might not even be present in the keyrings if the holders are no longer project members. In the context of a signed repository their primary purpose is to transfer the trust anchor from the uploader to the archive software, which can then handle metaindices resigning, key rotation, expiration, etc, which do not suffer from the problems with a one-time static signature. It would then be helpful to have an option that can be used to request passing --no-check (f.ex.) to dpkg-source so that it avoids doing such checks (when we can guarantee the safe provenance of the .dsc), in a similar way how apt passes it too on «apt source». This is a blocker to be able to fix #1016087 in apt-listdifferences. Thanks, Guillem