Bug#747412: marked as pending

Osamu Aoki osamu at debian.org
Fri Oct 16 13:08:16 UTC 2015 

Hi,

Maybe chencgelog text has room for improvement.... but

On Fri, Oct 16, 2015 at 12:26:47AM +0800, Paul Wise wrote:
> On Thu, 15 Oct 2015 16:07:13 +0000 Osamu Aoki wrote:
> > +    + Add the --overwrite-download, --skip-signature, and similar options
> > +      to reorganize behavior around existing downloaded files.
> > +      (Closes: #532182, #740366, #747412)
>  
> None of the new options seem to be relevant to #747412, removed pending.

You requested
    uscan: option to verify current upstream tarball

Doesn't the following look like what you requested

$ uscan --download-current-version --nodownload --signature
uscan: uscan (version 2.15.9+multitar1) See uscan(1) for help
uscan: Scan watch files in .
uscan: ./debian/changelog sets package="coreutils" version="8.23"
uscan: Newest version on remote site is 8.23, specified download version is 8.23
gpgv: Signature made Sat 19 Jul 2014 08:07:15 AM JST using RSA key ID 306037D9
gpgv: Good signature from "Pádraig Brady <P at draigBrady.com>"
gpgv:                 aka "Pádraig Brady <pbrady at redhat.com>"
gpgv:                 aka "Pádraig Brady <pixelbeat at gnu.org>"
uscan: Successfully downloaded package coreutils-8.23.tar.xz
uscan warn: ??? STRANGE ??? uscan log file already exists: ../coreutils_8.23.uscan.log (appending)
uscan: Leaving ../coreutils_8.23.orig.tar.xz where it is.
uscan: Executing user specified script: uupdate -f -b --upstream-version 8.23; output:
uscan: uupdate: You can not execute this from ../coreutils-8.23/.

Here, uscan skips "download" and uses the existing local tarball.

Maybe, adding one option like --stop-after-signature to stop processing after
signature may be a good idea.  But this does good job using existing
tarball and do things like uupdate if possible.

For the specific tool just for such functionality, splitting out like
mk-origtargz is the way to go.  But the restructuring around download
and sig-check now allows to proceed to sig-check without downloading the
tarball.  That is why I closed this.  If you have separate bug to have
independent program to check sig only, please file it so.

Osamu

PS:  coreutil's current watch file is not good enough. I also added
upstream signature file.  If you have suggestion for the good test
package case, let me know.

$ cat debian/watch
version=4
opts="pgpsigurlmangle=s/$/.sig/" \
ftp://ftp.gnu.org/gnu/coreutils/coreutils-([\d+\.]+)\.tar\.(?:gz|bz2|lzma|xz) debian uupdate

More information about the devscripts-devel mailing list