diff options
Diffstat (limited to 'tags/d/debian-watch-does-not-check-openpgp-signature.tag')
| -rw-r--r-- | tags/d/debian-watch-does-not-check-openpgp-signature.tag | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/tags/d/debian-watch-does-not-check-openpgp-signature.tag b/tags/d/debian-watch-does-not-check-openpgp-signature.tag new file mode 100644 index 0000000..367b522 --- /dev/null +++ b/tags/d/debian-watch-does-not-check-openpgp-signature.tag @@ -0,0 +1,21 @@ +Tag: debian-watch-does-not-check-openpgp-signature +Severity: pedantic +Check: debian/watch +Experimental: yes +See-Also: uscan(1) +Explanation: This watch file does not specify a means to verify the upstream + tarball using a cryptographic signature. + . + If upstream distributions provides such signatures, please use the + <code>pgpsigurlmangle</code> options in this watch file's <code>opts=</code> to + generate the URL of an upstream OpenPGP signature. This signature is + automatically downloaded and verified against a keyring stored in + <code>debian/upstream/signing-key.asc</code> + . + Of course, not all upstreams provide such signatures but you could + request them as a way of verifying that no third party has modified the + code after its release (projects such as phpmyadmin, unrealircd, and + proftpd have suffered from this kind of attack). +Renamed-From: + debian-watch-does-not-check-gpg-signature + debian-watch-may-check-gpg-signature |