On 13 Oct 2017, at 10:44, Kambiz Darabi wrote:

Hello,

there are questions from the Debian dev who helps publishing the package about the signing key which is in the debian/ subtree.

Can someone please comment?

Thank you

Kambiz

Hm. Is this because you are grabbing tar balls from there, and Debian would like to see those tar balls signed? I should probably modify the make script for releasing to make a pop signature for the tar balls and upload it. I don't really have the capability of going back to regenerate and sign the old tar balls I'm afraid. And anyway, I simply won't do it. I have no idea what key is stored at debian Cheers, r

----- Forwarded Message ----- From: "Sébastien Villemot" <sebastien@debian.org> To: "Kambiz Darabi" <darabi@m-creations.com> Cc: 878167@bugs.debian.org Sent: Friday, 13 October, 2017 5:07:45 PM Subject: Re: Bug#878167: RFS: cl-asdf/3.3.0 - Another System Definition Facility

Also, there is a GPG key under debian/upstream/signing-key.asc, but I see no signature on upstream website (https://common-lisp.net/project/asdf/archives/).

Am I missing something? Or should the key be removed?

Thanks,

-- ⢀⣴⠾⠻⢶⣦⠀ Sébastien Villemot ⣾⠁⢠⠒⠀⣿⡁ Debian Developer ⢿⡄⠘⠷⠚⠋⠀ http://sebastien.villemot.name ⠈⠳⣄⠀⠀⠀⠀ http://www.debian.org