Lintian ReportsBETA

P debian-watch-does-not-check-gpg-signature

This watch file does not specify a means to verify the upstream tarball using a cryptographic signature.

If upstream distributions provides such signatures, please use the pgpsigurlmangle options in this watch file's opts= to generate the URL of an upstream GPG signature. This signature is automatically downloaded and verified against a keyring stored in debian/upstream/signing-key.asc

Of course, not all upstreams provide such signatures but you could request them as a way of verifying that no third party has modified the code after its release (projects such as phpmyadmin, unrealircd, and proftpd have suffered from this kind of attack).

For more information please consult:

The tag is present in Lintian version 2.114.140. That is the most recent version we know about.

We use semantic versions. The patch number is a commit step indicator relative to the 2.112.0 release tag in our Git repository.

You can find the detection logic for this version at commit 131c0f4. For merge requests, please use the latest version in the Lintian check debian/watch.

This tag is experimental.

Visibility: pedantic

Renamed from:
  • debian-watch-may-check-gpg-signature

The following 27407 source packages in the archive triggered the tag 27407 times (in any Lintian version).

We found 422 overrides. The tag performed 98% of the time.