This is currently breaking builds of Whonix on Debian jessie, because lintian is reporting this issue, genmkfile detects it and breaks the build.
P: anon-apt-sources-list source: debian-watch-may-check-gpg-signature N: N: This watch file does not include a means to verify the upstream tarball N: using cryptographic signature. N: N: If upstream distributions provide such signatures, please use the N: pgpsigurlmangle options in this watch file's opts= to generate the URL N: of an upstream GPG signature. This signature is automatically downloaded N: and verified against a keyring stored in N: debian/upstream-signing-key.asc. N: N: Of course, not all upstreams provide such signatures, but you could N: request them as a way of verifying that no third party has modified the N: code against their wishes after the release. Projects such as N: phpmyadmin, unrealircd, and proftpd have suffered from this kind of N: attack. N: N: Refer to the uscan(1) manual page for details. N: N: Severity: pedantic, Certainty: certain N: N: Check: watch-file, Type: source N:
Previously the watch file has just been added to to fix the [--pedantic?] lintian warning, that there is no watch file at all. So we can say, the package is --pedantic lintian clean, i.e. has zero lintian warnings to shorten discussions about that and to make packaging "complete".
We don't really need the watch files for Whonix currently since we're upstream and packages in one person and not using such a notification mechanism.
I am wondering about which fix would be appropriate. Possibles routes:
- each and every package getting a lintian overwrite to make lintian ignore this issue
- trying to make the watch file support gpg as per https://wiki.debian.org/debian/watch#Cryptographic_signature_verification - it would require adding Whonix's signing key to each and every package
- anything else?
Making lintian fail open.
Or not using lintian.