debian-watch-could-verify-download

One or more upstream signing keys are present in the Debian package but are not being used.

Please enable the cryptographic verification of downloads with the "pgpsigurlmangle" option in your watch file or remove the key.

For more information please consult:

the uscan(1) manual page

The tag is present in Lintian version 2.114.163. That is the most recent version we know about.

We use semantic versions. The patch number is a commit step indicator relative to the 2.114.0 release tag in our Git repository.

You can find the detection logic for this version at commit ea05801. For merge requests, please use the latest version in the Lintian check debian/watch.

Visibility: warning

The following 84 source packages in the archive triggered the tag 84 times (in any Lintian version).

We found 2 overrides. The tag performed 98% of the time.

adplug

debian/upstream/signing-key.asc [debian/watch]

authres

debian/upstream/signing-key.asc [debian/watch]

broker

debian/upstream/signing-key.asc [debian/watch]

debian/upstream/signing-key.asc [debian/watch]

bugwarrior

debian/upstream/signing-key.asc [debian/watch]

buildlog-consultant

debian/upstream/signing-key.asc [debian/watch]

burp

debian/upstream/signing-key.asc [debian/watch]

cl-launch

debian/upstream/signing-key.asc [debian/watch]

dejagnu

debian/upstream/signing-key.asc [debian/watch]

django-countries

debian/upstream/signing-key.asc [debian/watch]

django-picklefield

debian/upstream/signing-key.asc [debian/watch]

djangorestframework-gis

debian/upstream/signing-key.asc [debian/watch]

dkimpy-milter

debian/upstream/signing-key.asc [debian/watch]

elpa

debian/upstream/signing-key.asc [debian/watch]

fadecut

debian/upstream/signing-key.asc [debian/watch]

formiko

debian/upstream/signing-key.asc [debian/watch]

freeradius

debian/upstream/signing-key.asc [debian/watch]

g3dviewer

debian/upstream/signing-key.asc [debian/watch]

glslang

debian/upstream/signing-key.asc [debian/watch]

gplaycli

debian/upstream/signing-key.asc [debian/watch]

guile-gcrypt

debian/upstream/signing-key.asc [debian/watch]

guile-sqlite3

debian/upstream/signing-key.asc [debian/watch]

guile-ssh

debian/upstream/signing-key.asc [debian/watch]

heaptrack

debian/upstream/signing-key.asc [debian/watch]

heimdal

debian/upstream/signing-key.asc [debian/watch]

inkscape-textext

debian/upstream/signing-key.asc [debian/watch]

ipvsadm

debian/upstream/signing-key.asc [debian/watch]

irssi-plugin-robustirc

debian/upstream/signing-key.asc [debian/watch]

iso-codes

debian/upstream/signing-key.asc [debian/watch]

libjpeg-turbo

debian/upstream/signing-key.asc [debian/watch]

libpsl

debian/upstream/signing-key.asc [debian/watch]

libtool

debian/upstream/signing-key.asc [debian/watch]

link-grammar

debian/upstream/signing-key.asc [debian/watch]

linphone

debian/upstream/signing-key.asc [debian/watch]

llgal

debian/upstream/signing-key.asc [debian/watch]

lltag

debian/upstream/signing-key.asc [debian/watch]

lsp-mode

debian/upstream/signing-key.asc [debian/watch]

m2crypto

debian/upstream/signing-key.asc [debian/watch]

manpages

debian/upstream/signing-key.asc [debian/watch]

mariadb-10.5

debian/upstream/signing-key.asc [debian/watch]

mariadb-10.6

debian/upstream/signing-key.asc [debian/watch]

mescc-tools

debian/upstream/signing-key.asc [debian/watch]

molotov

debian/upstream/signing-key.asc [debian/watch]

mopidy-tunein

debian/upstream/signing-key.asc [debian/watch]

mps-youtube

debian/upstream/signing-key.asc [debian/watch]

mumble

debian/upstream/signing-key.asc [debian/watch]

mydumper

debian/upstream/signing-key.asc [debian/watch]

netsed

debian/upstream/signing-key.asc [debian/watch]

net-snmp

debian/upstream/signing-key.asc [debian/watch]

nmap

debian/upstream/signing-key.asc [debian/watch]

onionbalance

debian/upstream/signing-key.asc [debian/watch]

pacvim

debian/upstream/signing-key.asc [debian/watch]

paramiko

debian/upstream/signing-key.asc [debian/watch]

pg-auto-failover

debian/upstream/signing-key.asc [debian/watch]

pglogical

debian/upstream/signing-key.asc [debian/watch]

php-amqplib

debian/upstream/signing-key.asc [debian/watch]

php-doctrine-deprecations

debian/upstream/signing-key.asc [debian/watch]

php-mikey179-vfsstream

debian/upstream/signing-key.asc [debian/watch]

php-sql-formatter

debian/upstream/signing-key.asc [debian/watch]

php-symfony-security-acl

debian/upstream/signing-key.asc [debian/watch]

procenv

debian/upstream/signing-key.asc [debian/watch]

pycuda

debian/upstream/signing-key.asc [debian/watch]

pyopencl

debian/upstream/signing-key.asc [debian/watch]

pyspread

debian/upstream/signing-key.asc [debian/watch]

python-argon2

debian/upstream/signing-key.asc [debian/watch]

python-django-navtag

debian/upstream/signing-key.asc [debian/watch]

python-django-otp

debian/upstream/signing-key.asc [debian/watch]

python-hglib

debian/upstream/signing-key.asc [debian/watch]

python-pgpdump

debian/upstream/signing-key.asc [debian/watch]

python-rply

debian/upstream/signing-key.asc [debian/watch]

python-zeep

debian/upstream/signing-key.asc [debian/watch]

qemu

debian/upstream/signing-key.asc [debian/watch]

realmd

debian/upstream/signing-key.asc [debian/watch]

resolvconf-admin

debian/upstream/signing-key.asc [debian/watch]

scrypt

debian/upstream/signing-key.asc [debian/watch]

sqlcipher

debian/upstream/signing-key.asc [debian/watch]

stgit

debian/upstream/signing-key.asc [debian/watch]

tomoyo-tools

debian/upstream/signing-key.asc [debian/watch]

txtorcon

debian/upstream/signing-key.asc [debian/watch]

vdpauinfo

debian/upstream/signing-key.asc [debian/watch]

debian/upstream/signing-key.asc [debian/watch]

x11vnc

debian/upstream/signing-key.asc [debian/watch]

xandikos

debian/upstream/signing-key.asc [debian/watch]

zsh-syntax-highlighting

- # Upstream provides PGP-signed git tags, rather than tarballs; and github doesn't seem to expose the tag itself (in the `git cat-file tag 0.6.0` sense) in a GETable URL. Thus, the debian/upstream/signing-key.asc _is_ useful — it serves to pin the public keys expected to sign upstream tags — even though that verification is not currently automated.
debian/upstream/signing-key.asc [debian/watch]