Tag: debian-watch-does-not-check-openpgp-signature
Severity: pedantic
Check: debian/watch
Experimental: yes
See-Also: uscan(1)
Explanation: This watch file does not specify a means to verify the upstream
tarball using a cryptographic signature.
.
If upstream distributions provides such signatures, please use the
pgpsigurlmangle
options in this watch file's opts=
to
generate the URL of an upstream OpenPGP signature. This signature is
automatically downloaded and verified against a keyring stored in
debian/upstream/signing-key.asc
.
Of course, not all upstreams provide such signatures but you could
request them as a way of verifying that no third party has modified the
code after its release (projects such as phpmyadmin, unrealircd, and
proftpd have suffered from this kind of attack).
Renamed-From:
debian-watch-does-not-check-gpg-signature
debian-watch-may-check-gpg-signature