Bug#731725: uscan: Please allow to verify uncompressed tarball signature
David Prévot
taffit at debian.org
Mon Dec 9 03:16:00 UTC 2013
Package: devscripts
Version: 2.13.5
Severity: wishlist
User: devscripts at packages.debian.org
Usertag: uscan
Hi,
Since it is easier to find/produce collisions with compressed files,
some projects do a checksum on the tar file and not on the compressed
file, see:
http://cryptography.hyperlink.cz/2004/otherformats.html
https://www.kernel.org/signature.html
https://www.samba.org/samba/download/
https://open.cryptomilk.org/projects/cmocka/files
It would be nice to allow uscan to check the uncompressed tarball
instead of the compressed one.
Bonus question: for CMocka, the directory also change (see the s/34/33/
bellow) for each file, independently of the version:
https://open.cryptomilk.org/attachments/download/33/cmocka-0.3.2.tar.asc
https://open.cryptomilk.org/attachments/download/34/cmocka-0.3.2.tar.xz
Do you have an idea of a pgpsigurlmangle rule that would allow one to
download the accurate signature file?
Regards
David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20131208/ff9af93f/attachment.sig>
More information about the devscripts-devel
mailing list