Bug#796293: insufficient/confusing documentation for pgpsigurlmangle

Mattia Rizzolo mattia at mapreri.org
Fri Aug 21 09:29:39 UTC 2015 

Control: notfound -1 2.15.8~bpo8+1
Control: found -1 2.15.8
Control: severity -1 wishlist
Control: clone -1 -2 -3
Control: reassign -2 lintian 2.5.36
Control: retitle -2 please suggest debian/upstream/signing-key.{asc,pgp} instead of debian/upstream-signing-key.asc for the debian-watch-may-check-gpg-signature tag
Control: reassign -3 qa.debian.org
Control: retitle -3 mole: check whether $URL.{asc,pgp} is available and list packages which do not do upstream pgp check with uscan
Control: user qa.debian.org at packages.debian.org
Control: usertag -3 mole


On Fri, Aug 21, 2015 at 09:13:02AM +0200, Thomas Koch wrote:
> Package: devscripts
> Version: 2.15.8~bpo8+1

The back tracker know nothing about backports. According to the backport
documentation you're supposed to send an email to the bpo ML.
Though this is not strictly related to bpo, so i changed the version.

> There are a few related shortcomings with the documentation of
> pgpsigurlmangle and the related lintian tag
> debian-watch-may-check-gpg-signature.
> 
> 1) The uscan manpage says:
> "This signature must be made  by  a  key  found  in  the keyring
> debian/upstream/signing-key.pgp  or the armored keyring
> debian/upstream/signing-key.asc."
> - - What is an armored keyring?

Well, this is a gpg thinghy, go read the gpg documentation.
The tl;dr version is, .pgp is binary, .asc is just ascii.

> - - Isn't it, that the .asc file is just one public key as produced
> by gpg --armor --export $KEYID?

indeed.

> - - Please give an example how to correctly produce this file.

I personally think this is auto of the scope of devscripts, others might
disagree (and anyway, I'm just triaging the bug, I won't fix it personally (at
least soon)

> - - How can I produce a keyring .pgp file?

without --armor ……

> - - Which format should be preferred? I don't like choices.

I personally prefer .asc, just because is easier to handle text stuff.

> 2) There is no example of a full watch file with a pgpsigurlmangle
> option. I needed several tries to get it right because it was the
> first time that I had to produce a non trivial watch file with an
> option. I believe that many others might be in the same situation.
> Please add an example to the uscan manpage or the lintian tag or
> both.

Umh, ok.

> 3) The lintian tag says:
> "verified against a keyring stored in debian/upstream-signing-key.asc"
> The manpage does not mention this file. It seems that the code
> still uses it, but it is confusing.

I think everybody prefers debian/upstream/* instead of the other file. the
debian/upstream-signing-key.asc was a thinghy from before the debian/upstream
directory.
I cloned the bug to lintian to change the lintian desc.

> 4) How about a script, that checks all watch files, tries GET
> requests against $URL.sig, $URL.asc and proposes a new watch file
> to the maintainer in case it finds something?

I *believe* uscan already does that check, btw I just thought that this would
be a nice addition for the qa team, even that I'm not that sure somebody is
going to implement it anytime soon … (please clone/reassign that bug to
whatever other d/watch reader we have if you want to -.-)

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540         .''`.
more about me:  http://mapreri.org                                 : :'  :
Launchpad user: https://launchpad.net/~mapreri                     `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia     `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20150821/9aa091a7/attachment.sig>

More information about the devscripts-devel mailing list