Your message dated Mon, 29 Jun 2020 11:04:11 +0000
with message-id <[email protected]>
and subject line Bug#963839: fixed in dpkg 1.20.3
has caused the Debian Bug report #963839,
regarding dpkg-dev: gpg tries to write in $HOME when verifying signatures
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
963839: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963839
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dpkg-dev
Version: 1.20.2
Severity: normal
Dear Maintainer,
Since dpkg-dev 1.2O.1, dpkg-buildpackage tries to verify tarball signatures from
debian/upstream/signing-key.asc with gpg. When called, gpg tries to write a file
in $HOME/.gnupg. This is not allowed by default when building with sbuild and
pbuilder, and therefore building a package with tarball signatures fails.
For instance with gpb buildpackage (calling cowbuilder):
dpkg-source -b .
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building libextractor using existing
./libextractor_1.9.orig.tar.gz
dpkg-source: info: building libextractor using existing
./libextractor_1.9.orig.tar.gz.asc
gpg: Fatal: /nonexistent/.gnupg: directory does not exist!
dpkg-source: error: failed to import key in
libextractor-1.9/debian/upstream/signing-key.asc
dpkg-buildpackage: error: dpkg-source -b . subprocess returned exit status 2
According to the gpg manpage, using the gpg option --no-options would prevent
gpg
from creating ~/.gnupg.
Cheers,
Bertrand
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: dpkg
Source-Version: 1.20.3
Done: Guillem Jover <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated dpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 29 Jun 2020 12:37:51 +0200
Source: dpkg
Architecture: source
Version: 1.20.3
Distribution: unstable
Urgency: medium
Maintainer: Dpkg Developers <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Closes: 963839 963844 963944
Changes:
dpkg (1.20.3) unstable; urgency=medium
.
[ Guillem Jover ]
* Perl modules:
- Dpkg::OpenPGP: Pass --no-options to gpg in verify_signature().
Reported by Bertrand Marc <[email protected]>. Closes: #963839
- Dpkg::Build::Info: Clarify by giving context to the
get_build_env_whitelist() deprecation warning. Closes: #963844
Reported by Sven Joachim <[email protected]>.
- Dpkg::Source::Package: Fix check_original_tarball_signature() to make
import_key() honor require_valid_signature, which should default to
false. Reported by Mattia Rizzolo <[email protected]>.
- Dpkg::OpenPGP: Use a temporary directory for the GnuPG homedir in
import_key(), to make sure we do not write to the user home directory,
which might be read-only or non-existent. Closes: #963944
Reported by Mattia Rizzolo <[email protected]>.
* Code internals:
- libdpkg: Print a notice if we cannot write to the log file.
* Build system:
- Improve error diagnosis for configure version fetching script.
Prompted by Norbert Preining <[email protected]>.
.
[ Updated programs translations ]
* German (Sven Joachim).
Checksums-Sha1:
9a51433a1ba67802b05e81ed99fa3d2a6a09ede9 2109 dpkg_1.20.3.dsc
779fc2397f37d445effe616174b26eb956a0e318 4712980 dpkg_1.20.3.tar.xz
cd912e1d3267899a63a1ea05a7ec4625d582f40a 7501 dpkg_1.20.3_amd64.buildinfo
Checksums-Sha256:
f8cf08136254230d51141c3626bec1c2c56bfd3012f80769fb854cdb358768b1 2109
dpkg_1.20.3.dsc
3c8345b001469de8ede3788640945d32b84026a04872b9ab2577853ca984f91e 4712980
dpkg_1.20.3.tar.xz
2d8b79f7165c3a3219fe6b4bf1c5a8b9f06717618ec493a58b10917f26d458af 7501
dpkg_1.20.3_amd64.buildinfo
Files:
0a1d22bdeb478320a6e6406435621695 2109 admin required dpkg_1.20.3.dsc
fe79189786829b78b990919d545da4cb 4712980 admin required dpkg_1.20.3.tar.xz
4ee69a96344222f07fc09972e07f40ab 7501 admin required
dpkg_1.20.3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAl75yIEACgkQuXK/PqSu
V6PKLw//UyVZ2jYZn1NFLHIdbxNQZP57/3laMBfNROjceDkCAUMuoY7Lccy4LlXS
MmbRlmvq4nucDVdoJfKQ8HwjaUxJBev99oHswwwAQGgDCktK3lOHC5CRwkGAgwEa
T4J5SGcuinD91L+LRbzienXZoX08Af3/ZYTIk9B52a29+RerTfN4GJbHvT1Px9OS
xUACbVycRY3+aQdp60H0Ku309Jr9zvXAcgOM7bAd8Hh+p2+Dl4BHSUTbdd0QlI0h
PuhZ0HmOJwOHt09SzWzuPgRoM7qf2jdjEnwKn1sVhlsaBYoszNwhbHD5IdvhRilH
baSMg739dNUvdCesVI/sJIgL1Ms72Ip0wJLai1W8wsln6a+uNoNTcV8tU8EEsx5P
rCoAnoiy2ASg0854llAZyHSiZPRVvM9/OhtOc84CvydTyuCSC3u7F1WJdR+/IHHm
7UjXl6tGgYmzeY/bwtqlfAmBBsXsH65t/zeMJxOSMlBsPaXhfFfu/ffUWt/kTaua
G78a9fLCDygAAke1w+EuvMEwfPY1vOElm2OZl4+SE0brE2Y/Gu346IyCIL/UVuxP
O512vY/2YJC5BMARBxpm7E0hxXnSd/UqmYyWGWJRhGoRaSXuRTOutTHgp2mDHs/l
lB1vGn1iwHT4jIEfCC6bxZQiU4g/qShOMofu7vS5q7kTVWSg9eE=
=jzsa
-----END PGP SIGNATURE-----
--- End Message ---
