Bug#827065: /usr/bin/uscan: [uscan] please extend git tag support for signed git tag with pgpmode

Neil Williams codehelp at debian.org
Sun Jun 12 09:11:52 UTC 2016 

On Sun, 12 Jun 2016 11:48:06 +0900
Osamu Aoki <osamuaoki at e01.itscom.net> wrote:

> Hi,
> 
> As for quieting lintian for sig-check, let's use the newly available
> explicit option opts="pgpmode=none" to the watch file and make lintian
> understand this option. (Or lintian override).

It's a pedantic tag, so it's not a problem in itself. It's just that
I'd like to be able to use the functionality.

> But the wishlist bug for uscan should be how to get it right for git
> repo signature check.
> 
> On Sat, Jun 11, 2016 at 09:33:37PM +0100, Neil Williams wrote:
> > Package: devscripts
> > Version: 2.16.5
> > Severity: wishlist
> > File: /usr/bin/uscan
> > 
> > uscan supports git tags in the debian/watch file  
> 
> Yes via the newly available git mode with the newest uscan supporting
> version=4.

OK, I'm using version=3 at the moment with:
https://git.linaro.org/lava/lava-dispatcher.git/tags /lava/lava-dispatcher.git/log/refs/tags/(.*)

I'm migrating to:
version=4
opts="mode=git,pgpmode=auto" \
http://git.linaro.org/lava/lava-dispatcher.git \
refs/tags/([\d+.\d+.\d?\.]+) debian uupdate

> > uscan seems to lack this support - assuming that a separate .asc or
> > .sig file can be downloaded which does not work for a signed git
> > tag.  
> 
> uscan works in 3 stages:
>  stage1: check some URL to find if there is newer version
>  stage2: download and optionally check signature
>  stage3: use uupdate to make a new template package
> 
> If people only care about stage1 (that is the case for this example
> watch file), then sig-check does not work for sure.  Lintian assumes
> you to use full capability of the uscan from stage1 to stage3.
> 
> I think problem comes if there is no published URL for tarball and no
> sig. Or even no URL for tags.  Then you use the new git mode.
> 
> Currently, it can create tarball but has not added support for the
> signed tag.
> 
> One problem I am worried is the tarballs generated locally itself or
> one generated some web interface are not reproducible as I
> understand.  So sigheck is possible for uncompressed tarball or git
> signature.

TBH I'm not using the tarball that uscan would create (yet) - issues
with setuptools currently - but I am planning to investigate how to drop
setuptools. debian/watch is mainly for others to monitor rather than to
assist uploads/rebuilds - but then I'm upstream too, so it's not a
problem.

> I welcome such feature addition.  Please send me shell execution
> example how that is done manually.

Does uscan clone the repository or do everything remotely? I've been
unable to find a way to verify the tag remotely. With a cloned repo,
(possibly in a throw away tmpfs directory with the --no-checkout option)
it's a simple git verify-tag <tag>.

$ git clone -n http://git.linaro.org/lava/lava-dispatcher.git
$ cd <package>
$ git verify-tag 2016.6
gpg: Signature made Mon 06 Jun 2016 08:01:01 BST using RSA key ID
8143B682 gpg: Good signature from "Neil Williams (Debian)
<codehelp at debian.org>" gpg:                 aka "Neil Williams
<neil at codehelp.co.uk>" gpg:                 aka "Neil Williams
(codehelp) <linux at codehelp.co.uk>"


-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20160612/b6c61e16/attachment.sig>

More information about the devscripts-devel mailing list