debian-watch-does-not-check-openpgp-signature

This watch file does not specify a means to verify the upstream tarball using a cryptographic signature.

If upstream distributions provides such signatures, please use the pgpsigurlmangle options in this watch file's opts= to generate the URL of an upstream OpenPGP signature. This signature is automatically downloaded and verified against a keyring stored in debian/upstream/signing-key.asc

Of course, not all upstreams provide such signatures but you could request them as a way of verifying that no third party has modified the code after its release (projects such as phpmyadmin, unrealircd, and proftpd have suffered from this kind of attack).

Severity: pedantic
Experimental: true
Renamed from: debian-watch-does-not-check-gpg-signature, debian-watch-may-check-gpg-signature

See also