Bug#827065: /usr/bin/uscan: [uscan] please extend git tag support for signed git tag with pgpmode
Osamu Aoki
osamuaoki at e01.itscom.net
Sun Jun 12 15:36:43 UTC 2016
Hi,
On Sun, Jun 12, 2016 at 10:11:52AM +0100, Neil Williams wrote:
> On Sun, 12 Jun 2016 11:48:06 +0900
> Osamu Aoki <osamuaoki at e01.itscom.net> wrote:
>
> > Hi,
> >
> > As for quieting lintian for sig-check, let's use the newly available
> > explicit option opts="pgpmode=none" to the watch file and make lintian
> > understand this option. (Or lintian override).
>
> It's a pedantic tag, so it's not a problem in itself. It's just that
> I'd like to be able to use the functionality.
>
> > But the wishlist bug for uscan should be how to get it right for git
> > repo signature check.
> >
> > On Sat, Jun 11, 2016 at 09:33:37PM +0100, Neil Williams wrote:
> > > Package: devscripts
> > > Version: 2.16.5
> > > Severity: wishlist
> > > File: /usr/bin/uscan
> > >
> > > uscan supports git tags in the debian/watch file
> >
> > Yes via the newly available git mode with the newest uscan supporting
> > version=4.
>
> OK, I'm using version=3 at the moment with:
> https://git.linaro.org/lava/lava-dispatcher.git/tags /lava/lava-dispatcher.git/log/refs/tags/(.*)
Undocumented feature: Even for version=3, mode=git is not disabled.
> I'm migrating to:
> version=4
> opts="mode=git,pgpmode=auto" \
> http://git.linaro.org/lava/lava-dispatcher.git \
> refs/tags/([\d+.\d+.\d?\.]+) debian uupdate
Yah, I wish this works like this :-)
For now, only pgpmode=none is supported. This git mode is really
experimental so I need help from possible user like you.
> > > uscan seems to lack this support - assuming that a separate .asc or
> > > .sig file can be downloaded which does not work for a signed git
> > > tag.
> >
> > uscan works in 3 stages:
> > stage1: check some URL to find if there is newer version
> > stage2: download and optionally check signature
> > stage3: use uupdate to make a new template package
> >
> > If people only care about stage1 (that is the case for this example
> > watch file), then sig-check does not work for sure. Lintian assumes
> > you to use full capability of the uscan from stage1 to stage3.
> >
> > I think problem comes if there is no published URL for tarball and no
> > sig. Or even no URL for tags. Then you use the new git mode.
> >
> > Currently, it can create tarball but has not added support for the
> > signed tag.
> >
> > One problem I am worried is the tarballs generated locally itself or
> > one generated some web interface are not reproducible as I
> > understand. So sigheck is possible for uncompressed tarball or git
> > signature.
>
> TBH I'm not using the tarball that uscan would create (yet) - issues
> with setuptools currently - but I am planning to investigate how to drop
> setuptools. debian/watch is mainly for others to monitor rather than to
> assist uploads/rebuilds - but then I'm upstream too, so it's not a
> problem.
uupdate only copies previous build system. Normally, debian/rules call
setuptools to do the job. See how I as upstream iof the package
debmake. Its repo is like a native package ree called devel and I
autogenerate master and debian branch to make a non-native package.
> > I welcome such feature addition. Please send me shell execution
> > example how that is done manually.
>
> Does uscan clone the repository or do everything remotely? I've been
> unable to find a way to verify the tag remotely. With a cloned repo,
> (possibly in a throw away tmpfs directory with the --no-checkout option)
> it's a simple git verify-tag <tag>.
It does not clone just to scan tags since many archive sccaning service
only use this stage only and wish to be light for them.
But for creating tarball, I clone archive to local to use git archive.
> $ git clone -n http://git.linaro.org/lava/lava-dispatcher.git
> $ cd <package>
> $ git verify-tag 2016.6
> gpg: Signature made Mon 06 Jun 2016 08:01:01 BST using RSA key ID
> 8143B682 gpg: Good signature from "Neil Williams (Debian)
> <codehelp at debian.org>" gpg: aka "Neil Williams
> <neil at codehelp.co.uk>" gpg: aka "Neil Williams
> (codehelp) <linux at codehelp.co.uk>"
OK, all I need is to find way to specify special key location for git
veryfy-tag. Thanks. When I find time, I will think about adding this
to uscan. (uscan is in perl... sigh.)
Osamu
More information about the devscripts-devel
mailing list