[ Err, bah sorry about the many dupes now, was looking in the correct bug, but replying to the original one. :/ ]
Hi! On Wed, 2014-08-27 at 07:28:14 -0700, Daniel Kahn Gillmor wrote: > On 08/27/2014 03:18 AM, Ansgar Burchardt wrote: > > Daniel Kahn Gillmor <[email protected]> writes: > >> There is probably a lot of work to do to get all the way there, but a > >> first step is to get dak to not reject the file in an upload. > >> > >> I just tried adding the upstream signature to a .dsc for libgpg-error > >> 1.13-4 (see attached files), and got a rejection message from dak: > >> > >> libgpg-error_1.13-4.dsc: libgpg-error_1.13.orig.tar.bz2.asc in Files > >> field not recognised as source. > >> > >> paultag said he'd be up for working on dak to fix this. > > > > Do dpkg-source, apt and sbuild accept such packages? Also in the version > > in stable? (Just ignoring stuff would do.) > > > > The archive should only start accepting them once they do. > I haven't checked apt or sbuild yet, but dpkg-source appears to choke on it: > > 0 dkg@alice:/tmp/cdtemp.qlo9m9$ dpkg-source -x *.dsc > dpkg-source: info: extracting libgpg-error in libgpg-error-1.13 > dpkg-source: error: unrecognized file for a v2.0 source package: > libgpg-error_1.13.orig.tar.bz2.asc > 255 dkg@alice:/tmp/cdtemp.qlo9m9$ > > so i'm cloning this bug for dpkg-dev. I'll try to look into apt and > sbuild soon. Ah, hmmm, yeah make sense. It also does really make sense as an additional file alongside the others referenced from the .dsc metadata. As a minor detail, the .asc would not be included in the .changes file when the orig.tar is not included either in the upload. I'm thinking dpkg-source would automatically include it if it finds it side by side the orig.tar. But I'm not comfortable just adding it as is, I'd probably want to bump the minor version of the format. As this gets us to the problem that we currently conflate the .dsc file format version with the actual source format version. It probably does not make sense to very the signature on unpack and fail hard by default, because most probably the user will not have the signers key. I'm not sure if even verifying as warning might make sense as default either if it's just going to annoy people at large. But I could see either a new option to make it verify it at all (and fail hard), or to turn the verify from possibly a warning into a fatal error. Does this sound good(ish)? Thanks, Guillem -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

