Package: lintian Version: 2.122.0 Hi!
It seems orig-tarball-missing-upstream-signature is enabled at Warning severity level when debian/upstream/signing-key.asc exists but there is no *.asc PGP tarball signature, see lintian complaint below. However 'ding-libs' is using upstream git as the source, and upstream uses PGP signed tags, as explained by debian/watch: Version: 5 Source: https://github.com/SSSD/ding-libs.git Matching-Pattern: refs/tags/@ANY_VERSION@ Mode: git Pgpmode: gittag For that PGP git tag verification to work, a PGP key is needed, and I believe uscan and other tools uses debian/upstream/signing-key.asc for verifying PGP-signed git tags, and has done so for a long time now. Thus, I think orig-tarball-missing-upstream-signature should be modified to not trigger, at least not at warning level, when PGP-signed git tags are used. I did not see PGP-signed git tags discussed in #954743 and #872864 but could have missed it, so I think this is a somewhat different situation. Thoughts? /Simon W: ding-libs source: orig-tarball-missing-upstream-signature ding-libs_0.7.0.orig.tar.xz N: N: The packaging includes an upstream signing key but the corresponding .asc N: signature for one or more source tarballs are not included in your N: .changes file. N: N: Please ensure a <package>_<version>.orig.tar.<ext>.asc file exists in the N: same directory as your <package>_<version>.orig.tar.<ext> tarball prior to N: dpkg-source --build being called. N: N: If you are repackaging your source tarballs for Debian Free Software N: Guidelines compliance reasons, ensure that your package version includes N: dfsg or similar. N: N: Sometimes, an upstream signature must be added for an orig.tar.gz that is N: already present in the archive. Please include the upstream sources again N: with dpkg-genchanges -sa while the signature is also present. Your upload N: will be accepted as long as the new orig.tar.gz file is identical to the N: old one. N: N: Please refer to Bug#954743 and Bug#872864 for details. N: N: Visibility: warning N: Show-Always: no N: Check: upstream-signature
signature.asc
Description: PGP signature
