Lintian ReportsBETA

Pdebian-watch-does-not-check-gpg-signature

Tag versions

The tag is present in Lintian version 2.104.234. That is the most recent version we know about.

This watch file does not specify a means to verify the upstream tarball using a cryptographic signature.

If upstream distributions provides such signatures, please use the pgpsigurlmangle options in this watch file's opts= to generate the URL of an upstream GPG signature. This signature is automatically downloaded and verified against a keyring stored in debian/upstream/signing-key.asc

Of course, not all upstreams provide such signatures but you could request them as a way of verifying that no third party has modified the code after its release (projects such as phpmyadmin, unrealircd, and proftpd have suffered from this kind of attack).

Refer to the uscan(1) manual page for details.

This tag is experimental.

Visibility: pedantic

Check: debian/watch

The following 26951 source packages in the archive triggered the tag 26951 times.

We found 433 overrides. The tag performed 98% of the time.