Bug#827065: /usr/bin/uscan: [uscan] please extend git tag support for signed git tag with pgpmode
Osamu Aoki
osamuaoki at e01.itscom.net
Sun Jun 12 02:48:06 UTC 2016
Hi,
As for quieting lintian for sig-check, let's use the newly available
explicit option opts="pgpmode=none" to the watch file and make lintian
understand this option. (Or lintian override).
But the wishlist bug for uscan should be how to get it right for git
repo signature check.
On Sat, Jun 11, 2016 at 09:33:37PM +0100, Neil Williams wrote:
> Package: devscripts
> Version: 2.16.5
> Severity: wishlist
> File: /usr/bin/uscan
>
> uscan supports git tags in the debian/watch file
Yes via the newly available git mode with the newest uscan supporting
version=4.
But most version=3 watch files rely on some web page URL publishing git
tags and don't interact directly with git.
> but lintian picks up that the signatures could be checked.
I see. Annoying I agree.
> uscan seems to lack this support - assuming that a separate .asc or
> .sig file can be downloaded which does not work for a signed git tag.
If separate URL can be automatically generated by a rule, we are
supporting to download a separate .asc or sig file for signature check.
Also URL to download tarball needs to be automatically generated by a
rule.
Then we can automate downloading tarball and checking signature in the old
way.
> https://lintian.debian.org/tags/debian-watch-may-check-gpg-signature.html
Yes.
> https://sources.debian.net/src/lava-dispatcher/2016.6-2/debian/watch/
This example is in the old version=3 style tracking.
I don't think this downloads tarball nor signature.
uscan works in 3 stages:
stage1: check some URL to find if there is newer version
stage2: download and optionally check signature
stage3: use uupdate to make a new template package
If people only care about stage1 (that is the case for this example
watch file), then sig-check does not work for sure. Lintian assumes you
to use full capability of the uscan from stage1 to stage3.
I think problem comes if there is no published URL for tarball and no
sig. Or even no URL for tags. Then you use the new git mode.
Currently, it can create tarball but has not added support for the
signed tag.
One problem I am worried is the tarballs generated locally itself or one
generated some web interface are not reproducible as I understand. So
sigheck is possible for uncompressed tarball or git signature.
I welcome such feature addition. Please send me shell execution example
how that is done manually.
Regards,
Osamu
More information about the devscripts-devel
mailing list