Instead of the signify tool from OpenBSD as most users expect, Debian's signify package is this unmaintained Perl script for attaching a random signature to an email: signify.sourceforge.net. The final release on the official site was 1.11 in 2003 but Debian has 1.14 from 2004.
Conversation
The developer appears to have been a Debian developer and started making the changes and releases as part of the Debian package, with no upstream source. It's supposedly maintained by the Debian QA Group now. They ported it away from Perl 5 to keep the poor thing on life support.
1
It's nice when distributions have a policy of not shipping unmaintained code in the main repositories. Of course, it's probably harder to make the case for that in a distribution not shipping upstream bug fixes including many security updates for literally years per the policies.
1
It's roadblock #1 for someone installing GrapheneOS via Debian. Roadmap #2 is their fastboot package. The platform-tools 28.0.0 release was made in June 2018. Debian Buster was released this month (July 2019) and has a development snapshot of platform-tools 27.0.0 called 26.0.3.
Replying to
In 28.0.0, fastboot added version constraints for factory images:
> Avoid bricking new devices when using a too-old version of fastboot by allowing factory image packages to require support for specific partitions.
This would be perfect for Debian, but of course it's missing.
1
Debian makes this harder for users by clobbering the upstream fastboot version. The development snapshot they chose is marked as 26.0.3 in the sources, which was never released, since Android 8.1.0 raised the API level to 27 so it became 27.0.0. They override this with 8.1.0_r23.
1
Debian doesn't provide upstream security updates for this package or various dependencies like BoringSSL. It shouldn't be used with an untrusted device. Not shipping the upstream security updates is a systemic issue applying to thousands of their packages, but still worth noting.