Lintian ReportsBETA

Tag versions

Pdebian-watch-does-not-check-gpg-signature

The tag is present in Lintian version 2.113.26. That is the most recent version we know about.

We use semantic versions. The patch number is a commit step indicator relative to the 2.108.0 release tag in our Git repository.

You can find the detection logic for this version at commit a1e47cb. For merge requests, please use the latest version in the Lintian check debian/watch.

This tag is experimental.

Visibility: pedantic

Renamed from:

This watch file does not specify a means to verify the upstream tarball using a cryptographic signature.

If upstream distributions provides such signatures, please use the pgpsigurlmangle options in this watch file's opts= to generate the URL of an upstream GPG signature. This signature is automatically downloaded and verified against a keyring stored in debian/upstream/signing-key.asc

Of course, not all upstreams provide such signatures but you could request them as a way of verifying that no third party has modified the code after its release (projects such as phpmyadmin, unrealircd, and proftpd have suffered from this kind of attack).

For more information please consult:

The following 27038 source packages in the archive triggered the tag 27038 times (in any Lintian version).

We found 430 overrides. The tag performed 98% of the time.