James Hogarth wrote:
We trust our packagers to do a lot, we can trust them to add this to
their
packages if it helps them and for them to encourage it in their reviews if
they find a signed archive provided upstream.
IMHO, this is the main point. Checking signatures automatically in %prep only makes sense
if you are sure you're using the correct public key. So the packager, who is supposed
to work closely with upstream, MUST make sure that he has the correct public key form
first-hand knowledge before he can include it in the spec file as %(SourceN) for %prep.
This is as important as checking the source code for licensing files and it would be much
more than the average Joe would do if he'd gonna check the source himself.
Sometimes the packager and upstream is even the same, so making sure the right public key
is being used will be quite easy.
Having said the above, I also advocate a SHOULD instead of a MUST in the guidelines as
providing a signature with the source tarball is voluntary for upstream and should be
viewed as an additional means to maintain the integrity of the code that should be
honoured in the spec file.