Bug#699721: uscan: needs a way to verify signatures/hashes provided by upstream
Paul Wise
pabs at debian.org
Mon Feb 4 01:53:08 UTC 2013
Package: devscripts
Version: 2.12.6
Severity: wishlist
File: /usr/bin/uscan
User: devscripts at packages.debian.org
Usertags: uscan
Some upstreams used detached GPG signatures to allow others to verify
that their tarballs have not been tampered with or corrupted. Others
simply add add files containing hash sums. uscan should support checking
both of these verification methods. Automatically downloading and
checking .asc/.gpg/.md5sum/.sha1sum/.sha256sum files would be a start
but probably uscan needs to have some options for this in case upstream
stores such files in different directories.
--
bye,
pabs
http://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20130204/e4d2a150/attachment.pgp>
More information about the devscripts-devel
mailing list