[devscripts] 01/01: uscan: check for likely upstream signatures if none are known (Closes: #732449)

Paul Wise pabs at moszumanska.debian.org
Thu May 8 12:01:59 UTC 2014 

This is an automated email from the git hooks/post-receive script.

pabs pushed a commit to branch master
in repository devscripts.

commit 663fd42238ef75d1e6ba0735164fbbcf6f861f76
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Thu May 8 19:54:10 2014 +0800

    uscan: check for likely upstream signatures if none are known (Closes: #732449)
    
    Make uscan try to fetch the usual suffixes (.asc, .gpg, .pgp, .sig)
    appended to the tarball URL to see if we can find a likely-looking
    cryptographic signature.
    
    If one is found, uscan suggests that the package maintainer to investigate
    it and encourage them set up future checks.
---
 debian/changelog |  3 +++
 scripts/uscan.pl | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index b81e48f..88784ad 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,9 @@ devscripts (2.14.2) UNRELEASED; urgency=medium
   * Use HTTPS for the buildd logs to avoid a redirect
   * Fix scraping of the wnpp web pages due to https links
 
+  [ Daniel Kahn Gillmor ]
+  * uscan: check for likely upstream signatures if none are known (Closes: #732449)
+
   [ Cyril Brulebois ]
   * deb-reversion: Add support for udebs.  (Closes: #739437)
 
diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index 90eec82..8ea1942 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -1449,6 +1449,16 @@ EOF
 	       '--keyring', $keyring,
 	       "$destdir/$newfile_base.pgp", "$destdir/$newfile_base") >> 8 == 0
 		 or uscan_die("$progname warning: OpenPGP signature did not verify.\n");
+    } else {
+	print "-- Checking for common possible upsteam OpenPGP signatures\n" if $verbose;
+	foreach my $suffix (qw(asc gpg pgp sig)) {
+	    my $sigrequest = HTTP::Request->new('GET' => "$upstream_url.$suffix");
+	    my $sigresponse = $user_agent->request($sigrequest);
+	    if ($sigresponse->is_success()) {
+		uscan_warn "$pkg: Possible OpenPGP signature found at:\n   $upstream_url.$suffix.\n  Please consider adding opts=pgpsigurlmangle=s/\$/.$suffix/\n  to debian/watch.  see uscan(1) for more details.\n";
+		last;
+	    }
+	}
     }
 
     # Call mk-origtargz (renames, repacks, etc.)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git

More information about the devscripts-devel mailing list