Your message dated Sat, 27 Jun 2020 23:48:29 +0000 with message-id <[email protected]> and subject line Bug#963821: fixed in dpkg 1.20.2 has caused the Debian Bug report #963821, regarding dpkg-source error on repacked tarballs initially signed by upstream signing key to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 963821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963821 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: src:dpkg Version: 1.20.1 Severity: serious Tags: ftbfs Justification: fails to build from source (but built successfully in the past) Dear colleagues, Today the dpkg was upgraded from 1.19.7 to 1.20.1 and I noticed that packages started failing to build. For example, the package with the following uscan configuration: opts="component=libdvdread-embedded, \ repack, \ compression=xz, \ pgpsigurlmangle=s/$/.asc/" \ https://download.videolan.org/pub/videolan/libdvdread/([\d][\d\.]+[a-z]?)/libdvdread-([\d][\d\.]+[a-z]?)\.tar\.(?:gz|bz2|xz) \ ignore throws the following error: dpkg-source: error: upstream signing key but no upstream tarball signature However, the use case is perfectly legitimate here: first, uscan checks the upstream GPG signature using debian/upstream/signing-key and then repacks the tarball to match the specified compression format (the compression format has to be one for all tarballs in the package because gbp does not recognize tarballs with different extension). I found out that the following upstream commit: From ca1cb131d8945d9d47871110f6a3010a501cd03a Mon Sep 17 00:00:00 2001 From: Guillem Jover <[email protected]> Date: Sun, 22 Mar 2020 23:32:56 +0100 Subject: [PATCH] Dpkg::Source::Package: Check missing expected tarball signatures When the source package provides an upstream signing key, it is expected that the source package provides upstream tarball signatures. If not, then error out, to avoid building packages with the missing files, which tends to be very easy to get into. introduced the bug. What I'd expect the resolved bug is either: - soften the error to warning, or - introduce a local-option to suppress the new behavior. The local-option is better here because the error enforces the maintainer to think about the root cause and either fix the watchfile or override the local-options documenting the expected outcome. Downgrading the dpkg version to 1.19.7 is a temporary workaround as well. Vasyl -- Package-specific info: -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.15.0-108-generic (SMP w/6 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=C (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages dpkg depends on: ii libbz2-1.0 1.0.8-3 ii libc6 2.30-8 ii liblzma5 5.2.4-1+b1 ii libselinux1 3.0-1+b3 ii tar 1.30+dfsg-7 ii zlib1g 1:1.2.11.dfsg-2 dpkg recommends no packages. Versions of packages dpkg suggests: ii apt 2.1.6 ii debsig-verify 0.22 -- no debconf information
--- End Message ---
--- Begin Message ---Source: dpkg Source-Version: 1.20.2 Done: Guillem Jover <[email protected]> We believe that the bug you reported is fixed in the latest version of dpkg, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guillem Jover <[email protected]> (supplier of updated dpkg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 28 Jun 2020 00:42:11 +0200 Source: dpkg Architecture: source Version: 1.20.2 Distribution: unstable Urgency: medium Maintainer: Dpkg Developers <[email protected]> Changed-By: Guillem Jover <[email protected]> Closes: 963794 963821 Changes: dpkg (1.20.2) unstable; urgency=medium . * dpkg: Do not include the architecture with --robot --version. * update-alternatives: Create alternatives directory (/etc/alternatives) if it is missing, to help with installation bootstrapping. Reported by Johannes Schauer <[email protected]>. * update-alternatives: Create the log directory if it is missing. * Perl modules: - Dpkg::Source::Package: Turn the missing expected tarball signature error into a warning for now, as it is causing unintended fallout, and does not play nice (yet) with tarballs repackaged by uscan(1). Closes: #963821 * Code internals: - update-alternatives: Move log_msg() after make_path() so that we can use the latter. - update-alternatives: Add new xstrndup() and xdirname() functions. * Build system: - Set SHELL in the test environment. - Do not fail if po4a is not found, and search for it just once. - Fix name and section generation for translated man pages. This caused pod2man to get an empty --name argument and not output anything, resulting in generating empty man pages. Closes: #963794 * Packaging: - Sort debian/dpkg-dev.manpages. - Install deb-src-symbols(5) in dpkg-dev package. Checksums-Sha1: ccfac51ecef4ee731f7972af6c486020eccd39cc 2109 dpkg_1.20.2.dsc df14dcd2612202243300a77d01175ddb8de8ff35 4710300 dpkg_1.20.2.tar.xz 775ee524d68be57862a3e999c0b0ca23dd86bbd6 7501 dpkg_1.20.2_amd64.buildinfo Checksums-Sha256: 98d0caf8c546ab22b6ca8c0a9fc2a1d9ba8a921ff1a5241ed235ced03c782742 2109 dpkg_1.20.2.dsc c8c2fbf3cf22c59fac5c93db584cb5f24ec2d5e078362f4c9d7da414faadd01c 4710300 dpkg_1.20.2.tar.xz 3ee62cb5c8e7d90500b9ac6b318fc04442e771553200a532cd41066de2f2622e 7501 dpkg_1.20.2_amd64.buildinfo Files: 3638e733dd0f3419102a658975100950 2109 admin required dpkg_1.20.2.dsc 6aac431e7b6f988f38a52a34584ab483 4710300 admin required dpkg_1.20.2.tar.xz 9d53dcf3356ca7ef8a0b157821065870 7501 admin required dpkg_1.20.2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAl73zXcACgkQuXK/PqSu V6MZ1Q/+PLiz29W9ADSEO2zAJIdGhyM6w9DTjE4iNJjee67d56Diw+yY/7LfVxu9 7CeHbWFcL8W3o3OecswOdfC4Y+ZyMDSm10r1QAcfE8qXuf4V4hT10TG1sig4eoxH EYIril+Sg8vM7xg8K2vdhJcpJMhuISIUM9cbXE3JorbXzAm9K8bzRiGaEPzHpDbv nhgei+yF4nSkT/ZqXjnrT7z0nK9SrgRPTdU0qRPgz/IbxsJaOJiPLoPmjuCYjPdM gqHFPwFTYduposzkQ9RmlnB7VaTk3vqRl5nzUN6LFrJD7DJwtb2Dcge3ge+HV/SZ 40vxpcs5nzNIhV15BSVq5y2xDljOwzeLrJVKc8PlzjzxMTDm/bmT4ujIDqcS8PDx eIf3tjcedFnk8jDFdVucM+EobzBrGcseSPpI4S1iCJDZ2IRt+0TE8BnYeLoSXXow DijxpCHYS51CfaDTriFNkDEBFPfVse/25TWEHxF5YyYkQ874U9c1s1bijIVR6X4T qFuYAfw98AN0jo/kiFb9Frp8Lrtb2n7bvop3CzqKwK/YYFFx/S6YxiMMXs1rmZeh 6qIOA07iInEi4OeJmkgH0CFB3FDQWqeyUTQHa6VtruA557a1976K2l4uWB5/xS8v Ro/6buThodQSPQpnnQLAlYRRFxiCs1hIU8L5fTQuKz0VPz7ytvI= =ZS3D -----END PGP SIGNATURE-----
--- End Message ---
