Bug#827065: /usr/bin/uscan: [uscan] please extend git tag support for signed git tag with pgpmode

Osamu Aoki osamuaoki at e01.itscom.net
Sun Jun 12 15:36:43 UTC 2016 

Hi,

On Sun, Jun 12, 2016 at 10:11:52AM +0100, Neil Williams wrote:
> On Sun, 12 Jun 2016 11:48:06 +0900
> Osamu Aoki <osamuaoki at e01.itscom.net> wrote:
> 
> > Hi,
> > 
> > As for quieting lintian for sig-check, let's use the newly available
> > explicit option opts="pgpmode=none" to the watch file and make lintian
> > understand this option. (Or lintian override).
> 
> It's a pedantic tag, so it's not a problem in itself. It's just that
> I'd like to be able to use the functionality.
> 
> > But the wishlist bug for uscan should be how to get it right for git
> > repo signature check.
> > 
> > On Sat, Jun 11, 2016 at 09:33:37PM +0100, Neil Williams wrote:
> > > Package: devscripts
> > > Version: 2.16.5
> > > Severity: wishlist
> > > File: /usr/bin/uscan
> > > 
> > > uscan supports git tags in the debian/watch file  
> > 
> > Yes via the newly available git mode with the newest uscan supporting
> > version=4.
> 
> OK, I'm using version=3 at the moment with:
> https://git.linaro.org/lava/lava-dispatcher.git/tags /lava/lava-dispatcher.git/log/refs/tags/(.*)

Undocumented feature: Even for version=3, mode=git is not disabled.
 
> I'm migrating to:
> version=4
> opts="mode=git,pgpmode=auto" \
> http://git.linaro.org/lava/lava-dispatcher.git \
> refs/tags/([\d+.\d+.\d?\.]+) debian uupdate

Yah, I wish this works like this :-)

For now, only pgpmode=none is supported.  This git mode is really
experimental so I need help from possible user like you.

> > > uscan seems to lack this support - assuming that a separate .asc or
> > > .sig file can be downloaded which does not work for a signed git
> > > tag.  
> > 
> > uscan works in 3 stages:
> >  stage1: check some URL to find if there is newer version
> >  stage2: download and optionally check signature
> >  stage3: use uupdate to make a new template package
> > 
> > If people only care about stage1 (that is the case for this example
> > watch file), then sig-check does not work for sure.  Lintian assumes
> > you to use full capability of the uscan from stage1 to stage3.
> > 
> > I think problem comes if there is no published URL for tarball and no
> > sig. Or even no URL for tags.  Then you use the new git mode.
> > 
> > Currently, it can create tarball but has not added support for the
> > signed tag.
> > 
> > One problem I am worried is the tarballs generated locally itself or
> > one generated some web interface are not reproducible as I
> > understand.  So sigheck is possible for uncompressed tarball or git
> > signature.
> 
> TBH I'm not using the tarball that uscan would create (yet) - issues
> with setuptools currently - but I am planning to investigate how to drop
> setuptools. debian/watch is mainly for others to monitor rather than to
> assist uploads/rebuilds - but then I'm upstream too, so it's not a
> problem.

uupdate only copies previous build system.  Normally, debian/rules call
setuptools to do the job.  See how I as upstream iof the package
debmake.  Its repo is like a native package ree called devel and I
autogenerate master and debian branch to make a non-native package.

> > I welcome such feature addition.  Please send me shell execution
> > example how that is done manually.
> 
> Does uscan clone the repository or do everything remotely? I've been
> unable to find a way to verify the tag remotely. With a cloned repo,
> (possibly in a throw away tmpfs directory with the --no-checkout option)
> it's a simple git verify-tag <tag>.

It does not clone just to scan tags since many archive sccaning service
only use this stage only and wish to be light for them.

But for creating tarball, I clone archive to local to use git archive.

> $ git clone -n http://git.linaro.org/lava/lava-dispatcher.git
> $ cd <package>
> $ git verify-tag 2016.6
> gpg: Signature made Mon 06 Jun 2016 08:01:01 BST using RSA key ID
> 8143B682 gpg: Good signature from "Neil Williams (Debian)
> <codehelp at debian.org>" gpg:                 aka "Neil Williams
> <neil at codehelp.co.uk>" gpg:                 aka "Neil Williams
> (codehelp) <linux at codehelp.co.uk>"

OK, all I need is to find way to specify special key location for git
veryfy-tag.  Thanks.  When I find time, I will think about adding this
to uscan.  (uscan is in perl... sigh.)

Osamu

More information about the devscripts-devel mailing list