Bug#874029: uscan: please support signature file containing list of signatures
Osamu Aoki
osamu at debian.org
Sun Sep 3 15:42:34 UTC 2017
control: severity -1 wishlist
Hi,
On Sat, Sep 02, 2017 at 01:54:12PM -0400, James McCoy wrote:
> On Sat, Sep 02, 2017 at 09:58:43AM +0200, Jérémy Lal wrote:
> > The typical example i have under the hand is:
> > https://nodejs.org/dist/v6.3.1/
> > https://nodejs.org/dist/v6.3.1/SHASUMS256.txt
> > https://nodejs.org/dist/v6.3.1/SHASUMS256.txt.asc
>
> The subject confused me a bit. This appears to be a list of the hashes
> of each file, and this list of hashes is signed. That's quite different
> than the current signature handling, which expects a signature of the
> archive and verifies the archive against that signature.
Yah, ... this looks more like Debian repo. How many packages are like
this type.
Once we get the basic signature handling right, I may consider this.
But uscan is already too complicated since it added features
piece-by-piece. I am very reluctant to add feature to support corner
cases. This is low priority.
Priority as I think now:
#1) Get documented features to work right all the way to orig.tar.gz
(URL scanning seems to work but ...)
#2) Support git repo as upstream URL
#3) Make code more modular and readable
#4) Flexible modular features
* multiple upstream sites (look 2 sites and pick)
* signature handling (hush->sig etc.)
* custom mk-origtargz (repack)
* custom uupdate (update source tree)
Regards,
Osamu
More information about the devscripts-devel
mailing list