On Wed, Mar 30, 2016 at 02:26:59PM -0000, Ralf Senderek wrote:
[snip the part I complete agree with]
Having said the above, I also advocate a SHOULD instead of a MUST in
the guidelines as providing a signature with the source tarball is
voluntary for upstream and should be viewed as an additional means
to maintain the integrity of the code that should be honoured in the
spec file.
What the upstream does is something that we cannot control, and we can
only encourage the upstream to DTRT.
In fact signatures and license files are quite similar:
our guidelines say that the license file MUST be installed if provided
by upstream, and packagers SHOULD ask upstream to provide it if it is
missing [1]. I think we should follow this pattern for signatures.
There will always be exceptions to the "MUST check if signed" rule:
repacking the tarball is an obvious one. The guidelines should
acknowledge this.
Zbyszek