Bug#833012: uscan: don't look for OpenPGP signatures by appending .asc to a query string
Osamu Aoki
osamuaoki at e01.itscom.net
Sun Jul 31 16:05:03 UTC 2016
Hi,
On Sat, Jul 30, 2016 at 02:01:51PM -0700, Sean Whitton wrote:
> Package: devscripts
> Version: 2.16.6
> Severity: normal
>
> Dear maintainers,
>
> uscan tries appending .asc to the tarball download URI. If that returns
> HTTP 200, it will say something like this:
>
> > uscan warn: Possible OpenPGP signature found at:
> > https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history.asc.
> > Please consider adding opts=pgpsigurlmangle=s/$/.asc/
> > to debian/watch. see uscan(1) for more details.
>
> However, as can be seen from this example, uscan has appended .asc to
> the query string i.e. the part of the URI after the final '?'
> character.
Yes.
> It is highly unlikely that this will ever be a real
> signature file.
In this case, huristics does not work.
> uscan should, in this kind of case, try the following URI:
>
> https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi.asc?src=version-history
The upstream tarball filename is normally found by taking the last
component of the URL and removing everything after any '?' or '#'.
Problem is that some query strings contain upstream archive name after ?
Use of pgpsigurlmangle is one way to avoid this problem. But let me
think if there is a bit more reasonable huristics with least
complication.
Osamu
> i.e. append the .asc to the part of the URI before the query string.
Yah...
Osamu
More information about the devscripts-devel
mailing list