Bug#747412: uscan: option to verify current upstream tarball
James McCoy
jamessan at debian.org
Thu Aug 27 02:31:30 UTC 2015
On Thu, May 08, 2014 at 08:10:02PM +0800, Paul Wise wrote:
> It would be great if there were an option to verify the current upstream
> tarball is the same as the one for the package and that the upstream
> cryptographic signatures still match.
I think uscan is a bit too overloaded already. A new tool (chkorigsig?)
should probably be split out to handle finding the upstream keyring (or
using a specified one) and an upstream archive and verifying it. That
can be used by uscan and for part of the workflow you're describing
here.
> Currently sponsors have to do this
> manually, it would be much better if it could be automated. If the hash
> of the tarball is different to upstream, uscan could determine if the
> tarball was just recompressed, if the tarball itself was recreated or if
> the content of the tarball is different and maybe how it is different.
There are a lot of heuristics implied here, which also don't seem to
belong to uscan. The only part that really needs uscan is the "download
orig from upstream" which can be handled as Osamu was describing.
Maybe pulling relevant bits of uscan out into library code would make it
easier to build up what you envision.
Cheers,
--
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20150826/af198db1/attachment.sig>
More information about the devscripts-devel
mailing list