Package: src:dpkg
Version: 1.20.1
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)
Dear colleagues,
Today the dpkg was upgraded from 1.19.7 to 1.20.1 and I noticed that packages
started failing to build.
For example, the package with the following uscan configuration:
opts="component=libdvdread-embedded, \
repack, \
compression=xz, \
pgpsigurlmangle=s/$/.asc/" \
https://download.videolan.org/pub/videolan/libdvdread/([\d][\d\.]+[a-z]?)/libdvdread-([\d][\d\.]+[a-z]?)\.tar\.(?:gz|bz2|xz)
\
ignore
throws the following error:
dpkg-source: error: upstream signing key but no upstream tarball signature
However, the use case is perfectly legitimate here: first, uscan checks the
upstream GPG signature using debian/upstream/signing-key and then repacks
the tarball to match the specified compression format (the compression format
has to be one for all tarballs in the package because gbp does not recognize
tarballs with different extension).
I found out that the following upstream commit:
From ca1cb131d8945d9d47871110f6a3010a501cd03a Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Sun, 22 Mar 2020 23:32:56 +0100
Subject: [PATCH] Dpkg::Source::Package: Check missing expected tarball
signatures
When the source package provides an upstream signing key, it is expected
that the source package provides upstream tarball signatures. If not,
then error out, to avoid building packages with the missing files, which
tends to be very easy to get into.
introduced the bug.
What I'd expect the resolved bug is either:
- soften the error to warning, or
- introduce a local-option to suppress the new behavior.
The local-option is better here because the error enforces the maintainer
to think about the root cause and either fix the watchfile or override
the local-options documenting the expected outcome.
Downgrading the dpkg version to 1.19.7 is a temporary workaround as well.
Vasyl
-- Package-specific info:
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.0-108-generic (SMP w/6 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to
en_US.UTF-8), LANGUAGE=C (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages dpkg depends on:
ii libbz2-1.0 1.0.8-3
ii libc6 2.30-8
ii liblzma5 5.2.4-1+b1
ii libselinux1 3.0-1+b3
ii tar 1.30+dfsg-7
ii zlib1g 1:1.2.11.dfsg-2
dpkg recommends no packages.
Versions of packages dpkg suggests:
ii apt 2.1.6
ii debsig-verify 0.22
-- no debconf information
