Bug#732446: marked as done (maint-guide: encourage package maintainers to check upstream cryptographic signatures)

Debian Bug Tracking System Sat, 19 Jul 2014 08:43:34 -0700

Your message dated Sat, 19 Jul 2014 15:38:31 +0000
with message-id <[email protected]>
and subject line Bug#732446: fixed in maint-guide 1.2.33
has caused the Debian Bug report #732446,
regarding maint-guide: encourage package maintainers to check upstream 
cryptographic signatures
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
732446: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732446
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: maint-guide
Version: 1.2.31
Severity: normal
Tags: patch

Since devscripts 2.13.3 (see #610712), uscan has supported the ability
to automatically verify upstream's cryptographic signatures if the
signing key and URL to the signature is well-known.
 
The maint-guide should recommend that package maintainers regularly
verify these signatures for new versions, and mention the files used.

A proposed patch for maint-guide is attached.

Regards,

        --dkg

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

maint-guide depends on no packages.

maint-guide recommends no packages.

Versions of packages maint-guide suggests:
ii  debian-policy         3.9.5.0
pn  developers-reference  <none>
ii  devscripts            2.13.8
pn  dh-make               <none>
pn  doc-base              <none>
ii  dput-ng [dput]        1.7
ii  dupload               2.7.0
ii  fakeroot              1.18.4-2
ii  lintian               2.5.20
pn  pbuilder              <none>
ii  quilt                 0.60-10

-- debconf-show failed

Index: maint-guide.en.dbk
===================================================================
--- maint-guide.en.dbk	(revision 10346)
+++ maint-guide.en.dbk	(working copy)
@@ -3902,7 +3902,47 @@
 <literal>&sf-net;/<replaceable>project</replaceable>/<replaceable>tar-name</replaceable>-(.+)\.tar\.gz</literal>.
 This solves issues related to periodically changing SourceForge URLs.
 </para>
+<para>If upstream offers cryptographic signatures of their tarballs in
+a detached file with a similar name to the tarball, you can identify
+the tarball using the <literal>pgpsigurlmangle</literal> option.
+</para>
+<para>
+For example, enigmail source tarballs are signed with a detached
+signature named the same as the tarball, but with a
+<filename>.asc</filename> suffix.  So enigmail's
+<filename>debian/watch</filename> file looks like:
+</para>
+<screen>
+version=3
+opts=pgpsigurlmangle=s/$/.asc/ http://enigmail.mozdev.org/download/source.php.html .*/enigmail-([\d\.]*).tar.gz
+</screen>
+<para>
+You'll also want to indicate which key(s) you expect upstream to use
+to sign their source code with in <xref
+linkend="upstreamsigningkey"/>.
+</para>
 </section>
+<section id="upstreamsigningkey"><title><filename>upstream-signing-key.pgp</filename></title>
+<para>
+If the package's upstream developers use an OpenPGP key to sign their
+releases, you probably want to verify those signatures, and make sure
+they come from the right people.  You can do this by exporting the
+signing key (or keys) used by upstream into
+<filename>debian/upstream-signing-key.pgp</filename>, as a standard
+OpenPGP keyring.
+</para>
+<para>
+For example, if you know that the upstream signs their releases with a
+key with fingerprint 0123456789ABCDEF0123456789ABCDEF01234567, you
+could do:
+</para>
+<screen>
+gpg --export 0123456789ABCDEF0123456789ABCDEF01234567 > debian/upstream-signing-key.pgp
+</screen>
+<para>
+This can be used by <command>uscan</command> as described in <xref linkend="watch"/>.
+</para>
+</section>
 <section id="sourcef"><title><filename>source/format</filename></title>
 <para>
 In the <filename>debian/source/format</filename> file, there should be a single

--- End Message ---

--- Begin Message ---

Source: maint-guide
Source-Version: 1.2.33

We believe that the bug you reported is fixed in the latest version of
maint-guide, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Osamu Aoki <[email protected]> (supplier of updated maint-guide package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 19 Jul 2014 16:14:04 +0900
Source: maint-guide
Binary: maint-guide maint-guide-ca maint-guide-de maint-guide-es maint-guide-fr 
maint-guide-it maint-guide-ja maint-guide-ru
Architecture: source all
Version: 1.2.33
Distribution: unstable
Urgency: medium
Maintainer: Osamu Aoki <[email protected]>
Changed-By: Osamu Aoki <[email protected]>
Description:
 maint-guide - Debian New Maintainers' Guide
 maint-guide-ca - Debian New Maintainers' Guide (Catalan)
 maint-guide-de - Debian New Maintainers' Guide (German)
 maint-guide-es - Debian New Maintainers' Guide (Spanish)
 maint-guide-fr - Debian New Maintainers' Guide (French)
 maint-guide-it - Debian New Maintainers' Guide (Italian)
 maint-guide-ja - Debian New Maintainers' Guide (Japanese)
 maint-guide-ru - Debian New Maintainers' Guide (Russian)
Closes: 623477 695577 696078 703811 719926 732446 734270 740609 744984 753086
Changes:
 maint-guide (1.2.33) unstable; urgency=medium
 .
   * De-emphasize native package. Closes: #696078
   * Recommend use of cryptographic signature. Closes: #732446
   * Always sign with debsign. Closes: #734270, #695577
   * Fixed typos. Closes: #740609, #744984
   * Add support channel info. Closes: #719926
   * Mention hierarchy of build commands. Closes: #703811
   * Mention debmake and its packaging examples. Closes: #623477
   * Translation updated for de, it, ja, and ru. Closes: #753086
   * Mention the debmake package and bump version to jessie.
Checksums-Sha1:
 fc4f0ca86a4daee2ba459dd3398043d98fad3aee 1652 maint-guide_1.2.33.dsc
 716eb4f44a2004f54d1e30e08dd6fd5fd630a407 587200 maint-guide_1.2.33.tar.xz
 29de646db1f3f5cfaad9491bd4af5e11e83dea20 640218 maint-guide_1.2.33_all.deb
 9adbfae8de132eabe9dfb040c06ccecae3d8b7d7 693408 maint-guide-ca_1.2.33_all.deb
 567072b2c306e98d8d1de1c2cdbb883975f2edc7 704152 maint-guide-de_1.2.33_all.deb
 0ab6ab41bb3300117c0ea1122ca8f529861ebe14 698290 maint-guide-es_1.2.33_all.deb
 d87e2f36ccd26338a41021dad52c7bb71816fd00 674838 maint-guide-fr_1.2.33_all.deb
 3ba94c50705cd3543f0d133e43863e7577f80636 672624 maint-guide-it_1.2.33_all.deb
 4ef2a0de0da0f7fccee9c212064adcd0870ce60f 1045898 maint-guide-ja_1.2.33_all.deb
 93ff7cb2d62a1ab613e84c58708e1e9c935cd845 763964 maint-guide-ru_1.2.33_all.deb
Checksums-Sha256:
 efe8cd0f0ada9a43828e77fe34ca9f44861f79a3978f75c9f2a2899fc9f6fd8a 1652 
maint-guide_1.2.33.dsc
 75eed26691bdad9cbf486a0e87f59fb0f5c90553ebf030a4da65331c14516062 587200 
maint-guide_1.2.33.tar.xz
 d76892c00f2aefe652df8cb91470070acb95fecfa9268d362b53c0b6fb190d2e 640218 
maint-guide_1.2.33_all.deb
 1e80cbaabb918e5e5185b4487dfb89558f74367e3c078808f2747577718ffdc3 693408 
maint-guide-ca_1.2.33_all.deb
 43a46fbe0a2fbe05048bcd0593ef17424850fcb5e9dba363dc975da4b313a960 704152 
maint-guide-de_1.2.33_all.deb
 633c7836b6fd3d71c861d52b91c73bacd9669ac49fc02e5b5319b3dfb9bb6407 698290 
maint-guide-es_1.2.33_all.deb
 de93ea28105e0b0a4801a9a4dfbca695d801c82e0ca92e5406c0d78509fe3089 674838 
maint-guide-fr_1.2.33_all.deb
 3536f08ca5e9f6be69aaeeecf625dea255b55451b98e9d532cdfbfa928e206c2 672624 
maint-guide-it_1.2.33_all.deb
 c1b05cdb15efa6d0a9516e44f81c849a211a97d711d03bf0778c492bba11e7e6 1045898 
maint-guide-ja_1.2.33_all.deb
 240487dbc50053ba8d42b59b3ce32d3a9fc65099ddbf499d7f60c804b1aa9086 763964 
maint-guide-ru_1.2.33_all.deb
Files:
 4c756f1adb82cd20952e7de85b1fe251 640218 doc optional maint-guide_1.2.33_all.deb
 a34ba27b86f37887418079fb8a4e8177 693408 doc extra maint-guide-ca_1.2.33_all.deb
 c9e352387dc26f4c2a53d85285e2fa59 704152 doc extra maint-guide-de_1.2.33_all.deb
 46237298e426f51ab72aaea17ec999b9 698290 doc extra maint-guide-es_1.2.33_all.deb
 ceda63669ba3aaa19c4f396d9d6c633e 674838 doc extra maint-guide-fr_1.2.33_all.deb
 3a3b3e90c372f2244882b144243ca309 672624 doc extra maint-guide-it_1.2.33_all.deb
 9727ae79941466e5627f4cbf8996532e 1045898 doc extra 
maint-guide-ja_1.2.33_all.deb
 ed9d8f949593261124911893bc19ccfe 763964 doc extra maint-guide-ru_1.2.33_all.deb
 e7200db7c6c438422ed2c220cb58fbc5 1652 doc optional maint-guide_1.2.33.dsc
 d6ecdc46268f0df705b3606ee2e38344 587200 doc optional maint-guide_1.2.33.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlPKdzkACgkQ6A/EwagGHzLX+QCdHdWK24/VQMwH3HPTtBfIsBGa
HjwAn26tjcG2IW7AUVUARO4f+5ruFMJq
=h+60
-----END PGP SIGNATURE-----

--- End Message ---

Bug#732446: marked as done (maint-guide: encourage package maintainers to check upstream cryptographic signatures)

Reply via email to