Lintian tag: debian-watch-does-not-check-openpgp-signature
Type: pedantic
Description (from lintian-explain-tags
)
This watch file does not specify a means to verify the upstream tarball
using a cryptographic signature.
If upstream distributions provides such signatures, please use the
pgpsigurlmangle options in this watch file's opts= to generate the URL of
an upstream OpenPGP signature. This signature is automatically downloaded
and verified against a keyring stored in debian/upstream/signing-key.asc
Of course, not all upstreams provide such signatures but you could request
them as a way of verifying that no third party has modified the code after
its release (projects such as phpmyadmin, unrealircd, and proftpd have
suffered from this kind of attack).
Please refer to the uscan(1) manual page for details.
Visibility: pedantic
Show-Always: no
Check: debian/watch
Renamed from: debian-watch-does-not-check-gpg-signature
debian-watch-may-check-gpg-signature
This tag is experimental.
Show affected packages