[pkg-wine-party] Sponsor for winetricks

Jens Reyer jre.winesim at gmail.com
Fri May 6 15:48:46 UTC 2016


On 05/04/2016 12:17 AM, Joseph Bisch wrote:
> On Tue, May 03, 2016 at 04:32:55PM +0200, Jens Reyer wrote:
>> On 05/03/2016 02:30 AM, Austin English wrote:
>>> On Mon, May 2, 2016 at 12:33 PM, Jens Reyer <jre.winesim at gmail.com> wrote:
>>>>> P debian-watch-may-check-gpg-signature
>>>>
>>>> You might ask upstream to sign the git tags. (Hey Austin :) )
>>>
>>> Commits and tags have been signed for a while (since GitHub started
>>> displaying it). See all the 'verified' signs in
>>> https://github.com/Winetricks/winetricks/commits/master
>>
>> Great! I only checked older (unsigned) tags.
> 
> The debian/watch file doesn't support git tags. It uses GitHub's
> release/tags download feature, which is missing the .git directory, so
> it can't verify the signed tags. But I have the Winetricks GitHub
> repository as a remote, so I can manually fetch and verify the tag
> before merging it into the packaging branch.
> 
> So the debian-watch-may-check-gpg-signature message won't go away unless
> signatures for the GitHub releases are added somewhere, so that uscan
> can verify them.

OK, not trivial and not for this release ;(

Upstream will probably start to sign the release tarballs (see
https://github.com/Winetricks/winetricks/pull/639). Signing the release
tarballs, not only the tags, is more secure anyway. Unfortuantely this
still requires a manual step, neither Austin nor me are happy about that.
But imo this is the best solution until github changes something (they
may break that workflow (bad), or offer shell access (good)). Big thanks
to Austin!

I updated https://wiki.debian.org/debian/watch with the necessary
pgpsigurlmangle opt. Full d/watch for winetricks:

---
version=3
opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/winetricks-$1\.tar\.gz/,\
dversionmangle=s/^\d*\.\d*\+//,\
oversionmangle=s/^/0.0+/,\
pgpsigurlmangle=s/archive\/(\d\S*)\.tar\.gz/releases\/download\/$1\/$1\.tar\.gz\.asc/ \
  https://github.com/Winetricks/winetricks/releases .*/v?(\d\S*)\.tar\.gz
---

I successfully tested the whole workflow (upstream and debian) here, and
were able to run uscan to obtain and verify the release tarball from
github, signed with my key.


>> Joseph, you may also suggest "tor" (for the new torify option in
>> winetricks that is needed in certain countries that block e.g. archive.org)
> 
> Actually I already added "tor" to the suggests in my second upload to
> mentors.d.n in addition to "aria2".

Good. Generally you might notify potential sponsors about updates on
mentors.d.o.

Final nitpick: for packages on mentors it's usually suggested to use
"unstable" as dist in d/changelog, even if the package is not sure to be
released, because the only target audience are potential sponsors.


>> All my remarks aren't real blockers for an upload, but trivial to fix. I
>> can send you a patch if you prefer. I'd be happy to see an updated
>> winetricks version soon.
> 
> Thanks, I added your suggestions, so the patch isn't necessary. Now the
> only thing left seems to be to switch over to pkg-wine for the
> maintainer and repository, but I'd rather see this get released while it
> is still current. I requested to join the team on Alioth.

Great, I hope you find a sponsor and are added to the team soon.

Greets
jre



More information about the pkg-wine-party mailing list