debian-watch-does-not-check-openpgp-signature

This watch file does not specify a means to verify the upstream tarball using a cryptographic signature.

If upstream distributions provides such signatures, please use the pgpsigurlmangle options in this watch file's opts= to generate the URL of an upstream OpenPGP signature. This signature is automatically downloaded and verified against a keyring stored in debian/upstream/signing-key.asc

Of course, not all upstreams provide such signatures but you could request them as a way of verifying that no third party has modified the code after its release (projects such as phpmyadmin, unrealircd, and proftpd have suffered from this kind of attack).

Severity:	pedantic
Experimental:	true
Renamed from:	debian-watch-does-not-check-gpg-signature, debian-watch-may-check-gpg-signature

See also

• the uscan(1) manual page

• list of all the affected packages
• the source of this tag

Generated by Lintian SSG v0.7.0-28-g559962f (lintian v2.118.1) on Sat, 07 Sep 2024 19:15:02 UTC - Source code and bugs
Copyright © 1998-2024 Lintian authors

Hosted by CLUB1