debian-watch-does-not-check-openpgp-signature
This watch file does not specify a means to verify the upstream tarball using a cryptographic signature.
If upstream distributions provides such signatures, please use the
pgpsigurlmangle
options in this watch file's opts=
to
generate the URL of an upstream OpenPGP signature. This signature is
automatically downloaded and verified against a keyring stored in
debian/upstream/signing-key.asc
Of course, not all upstreams provide such signatures but you could request them as a way of verifying that no third party has modified the code after its release (projects such as phpmyadmin, unrealircd, and proftpd have suffered from this kind of attack).
Severity: | pedantic |
Experimental: | true |
Renamed from: | debian-watch-does-not-check-gpg-signature, debian-watch-may-check-gpg-signature |
See also
the uscan(1) manual page
- list of all the affected packages
- the source of this tag