Hi Jens! I wonder about a way to retrieve the source after checking upstream gpg signature. Do you provide those somewhere? I don´t see any on: http://brick.kernel.dk/snaps/ where I usually go for getting new upstream release tarball. N: Processing source package fio (version 2.10-1, arch source) ... P: fio source: debian-watch-may-check-gpg-signature N: N: This watch file does not include a means to verify the upstream tarball N: using cryptographic signature. N: N: If upstream distributions provide such signatures, please use the N: pgpsigurlmangle options in this watch file's opts= to generate the URL N: of an upstream GPG signature. This signature is automatically downloaded N: and verified against a keyring stored in N: debian/upstream/signing-key.asc. N: N: Of course, not all upstreams provide such signatures, but you could N: request them as a way of verifying that no third party has modified the N: code against their wishes after the release. Projects such as N: phpmyadmin, unrealircd, and proftpd have suffered from this kind of N: attack. N: N: Refer to the uscan(1) manual page for details. N: N: Severity: pedantic, Certainty: certain N: N: Check: watch-file, Type: source -- To unsubscribe from this list: send the line "unsubscribe fio" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
