Bug#747412: uscan: option to verify current upstream tarball
Paul Wise
pabs at debian.org
Thu Aug 27 15:08:51 UTC 2015
On Wed, 2015-08-26 at 22:31 -0400, James McCoy wrote:
> I think uscan is a bit too overloaded already. A new tool (chkorigsig?)
> should probably be split out to handle finding the upstream keyring (or
> using a specified one) and an upstream archive and verifying it. That
> can be used by uscan and for part of the workflow you're describing
> here.
Seems reasonable.
> There are a lot of heuristics implied here, which also don't seem to
> belong to uscan. The only part that really needs uscan is the "download
> orig from upstream" which can be handled as Osamu was describing.
I think maybe the heuristics I wrote back then can now be delegated to
diffoscope, which was created by the reproducible builds folks.
http://diffoscope.org/
> Maybe pulling relevant bits of uscan out into library code would make it
> easier to build up what you envision.
Ack, new plan:
New script called checkorig or similar should:
Copy the already-downloaded orig.tar files to a tmp dir (dpkg-dev?)
Run uscan to download the current upstream tarball to a temporary
directory and do the usual gpg sig check dance during the process.
Compare the two directories using diffoscope, tardiff or cmp.
--
bye,
pabs
https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20150827/5fd9ddd3/attachment.sig>
More information about the devscripts-devel
mailing list