[devscripts] 01/01: uscan: Correct information on the OpenPGP fingerprint etc.

Osamu Aoki osamu at moszumanska.debian.org
Fri Sep 29 13:48:37 UTC 2017


This is an automated email from the git hooks/post-receive script.

osamu pushed a commit to branch master
in repository devscripts.

commit 91ce22128143634fa46423e735ecf5bd35c0bb55
Author: Osamu Aoki <osamu at debian.org>
Date:   Fri Sep 29 22:45:29 2017 +0900

    uscan: Correct information on the OpenPGP fingerprint etc.
    
      Closes: #877104
    
    Signed-off-by: Osamu Aoki <osamu at debian.org>
---
 debian/changelog |  2 ++
 scripts/uscan.pl | 31 +++++++++++++++++++++----------
 2 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 31c02d9..a67f435 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,8 @@ devscripts (2.17.11) UNRELEASED; urgency=medium
     bump dpkg-bev version to 1.18.19.  Closes: #876024
   * Removed Martin Zobel-Helas, Patrick Schoenfeld, and Benjamin Drung
     from Uploaders after asking them.
+  * Auto set --force-download when appropriate to prevent regression.
+  * Correct information on the OpenPGP fingerprint etc.  Closes: #877104
 
   [ Chris Lamb ]
   * reproducible-check: Match name on remote server.
diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index e1bff3f..97bb4d0 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -1167,16 +1167,27 @@ See mk-origtargz(1).
 =head1 KEYRING FILE EXAMPLES
 
 Let's assume that the upstream "B<< uscan test key (no secret)
-<none at debian.org> >>" signs its package and publishes its public key
-fingerprint 'B<CF21 8F0E 7EAB F584 B7E2 0402 C77E 2D68 7254 3FAF>' which you
-know is the trusted one.
-
-Please note that the short keyid B<72543FAF> is the last 4 Bytes, the long
-keyid B<C77E2D6872543FAF> is the last 8 Bytes, and the finger print is the last
-20 Bytes of the public key in hexadecimal form.  Considering the existence of
-the collision attack on the short keyid, the use of the long keyid is
-recommended for receiving keys from the public key servers.  You must verify
-the downloaded OpenPGP key using its fingerprint.
+<none at debian.org> >>" signs its package with a secret OpenPGP key and publishes
+the corresponding public OpenPGP key.  This public OpenPGP key can be
+identified in 3 ways using the hexadecimal form.
+
+=over
+
+=item * The fingerprint as the 20 byte data calculated from the public OpenPGP
+key. E.  g., 'B<CF21 8F0E 7EAB F584 B7E2 0402 C77E 2D68 7254 3FAF>'
+
+=item * The long keyid as the last 8 byte data of the fingerprint. E. g.,
+'B<C77E2D6872543FAF>'
+
+=item * The short keyid is the last 4 byte data of the fingerprint. E. g.,
+'B<72543FAF>'
+
+=back
+
+Considering the existence of the collision attack on the short keyid, the use
+of the long keyid is recommended for receiving keys from the public key
+servers.  You must verify the downloaded OpenPGP key using its full fingerprint
+value which you know is the trusted one.
 
 The armored keyring file F<debian/upstream/signing-key.asc> can be created by
 using the B<gpg> (or B<gpg2>) command as follows.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git



More information about the devscripts-devel mailing list