Bug#747412: chk-origtgz proof of concept
Paul Wise
pabs at debian.org
Mon Apr 11 07:48:15 UTC 2016
On Sat, 17 Oct 2015 19:12:55 +0900 Osamu Aoki wrote:
> As for the idea of chk-origtgz, the new uscan and uupdate combination
> record hush of the original tarball before repacked to orig.tar.gz.
> This may be used by the chk-origtgz you are thinking...
Stuart Prescott and I wrote the attached sketch of concept for chk-origtgz.
Unfortunately it doesn't work because uscan --safe doesn't repack the
tarball nor write the tarball to the same filename as what the usual
orig.tar.gz is called, but only what the upstream tarball is called.
Please note that it verifies the old tarball against the old gpg sigs,
but uscan does not yet store the old signatures in debian/ (#727096).
So this will need a way to make uscan do everything (including
signature checks, repacking etc) except running uupdate or other code
from debian/watch and debian/copyright, since running code from the
debian/watch file could cause security issues for DDs who want to check
tarballs when sponsoring packages.
I dropped tardiff since it didn't seem very reliable for the simple
test cases that I constructed.
--
bye,
pabs
https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chk-origtargz
Type: application/x-shellscript
Size: 1368 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20160411/396460fd/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20160411/396460fd/attachment.sig>
More information about the devscripts-devel
mailing list