Your message dated Sun, 11 May 2014 18:33:32 +0000 with message-id <[email protected]> and subject line Bug#732449: fixed in devscripts 2.14.2 has caused the Debian Bug report #732449, regarding devscripts: uscan should check for likely URLs for upstream cryptographic signatures to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 732449: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732449 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: devscripts Version: 2.13.8 Severity: normal Tags: patch now that pgpsigurlmangle is available, it would be nice to remind package maintainers if upstream is offering something that looks like a cryptographic signature. the attached patch implements such a check. --dkg -- Package-specific info: --- /etc/devscripts.conf --- --- ~/.devscripts --- Not present -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages devscripts depends on: ii dpkg-dev 1.16.12 ii libc6 2.17-97 ii perl 5.18.1-5 ii python3 3.3.2-17 pn python3:any <none> Versions of packages devscripts recommends: ii at 3.1.14-1 ii curl 7.33.0-1 ii dctrl-tools 2.23 ii debian-keyring 2013.12.13 ii dput-ng [dput] 1.7 ii dupload 2.7.0 pn equivs <none> ii fakeroot 1.18.4-2 ii gnupg 1.4.15-1.1 ii libdistro-info-perl 0.11 ii libencode-locale-perl 1.03-1 ii libjson-perl 2.61-1 ii liblwp-protocol-https-perl 6.04-2 ii libparse-debcontrol-perl 2.005-4 pn libsoap-lite-perl <none> ii liburi-perl 1.60-1 ii libwww-perl 6.05-2 ii lintian 2.5.20 ii man-db 2.6.5-2 ii patch 2.7.1-4 ii patchutils 0.3.2-3 ii python3-debian 0.1.21+nmu2 pn python3-magic <none> ii sensible-utils 0.0.9 ii strace 4.5.20-2.3 ii unzip 6.0-10 ii wdiff 1.2.1-1 ii wget 1.14-5 ii xz-utils 5.1.1alpha+20120614-2 Versions of packages devscripts suggests: ii build-essential 11.6 pn cvs-buildpackage <none> ii devscripts-el 35.8 pn gnuplot <none> ii gpgv 1.4.15-1.1 ii heirloom-mailx [mailx] 12.5-2 pn libauthen-sasl-perl <none> pn libfile-desktopentry-perl <none> ii libnet-smtp-ssl-perl 1.01-3 pn libterm-size-perl <none> ii libtimedate-perl 2.3000-1 pn libyaml-syck-perl <none> ii mailutils [mailx] 1:2.99.98-1.1 pn mutt <none> ii openssh-client [ssh-client] 1:6.4p1-1 ii svn-buildpackage 0.8.5 pn w3m <none> -- debconf-show failedcommit 20a435df7093fb0048bf6471e9ca6f3fc17ee3b6 Author: Daniel Kahn Gillmor <[email protected]> Date: Wed Dec 18 02:21:50 2013 -0500 uscan checks for likely upstream signatures if none are known uscan tries to fetch the usual suffixes (.asc, .gpg, .pgp, .sig) appended to the tarball URL to see if we can find a likely-looking cryptographic signature. If one is found, we suggest that the package maintainer to investigate it and encourage them set up future checks. diff --git a/scripts/uscan.pl b/scripts/uscan.pl index 0ffe9f2..6cdce00 100755 --- a/scripts/uscan.pl +++ b/scripts/uscan.pl @@ -1412,6 +1412,16 @@ EOF '--keyring', 'debian/upstream-signing-key.pgp', "$destdir/$newfile_base.pgp", "$destdir/$newfile_base") >> 8 == 0 or uscan_die("$progname warning: OpenPGP signature did not verify.\n"); + } else { + print "-- Checking for common possible upsteam OpenPGP signatures\n" if $verbose; + foreach my $suffix (qw(asc gpg pgp sig)) { + my $sigrequest = HTTP::Request->new('GET' => "$upstream_url.$suffix"); + my $sigresponse = $user_agent->request($sigrequest); + if ($sigresponse->is_success()) { + uscan_warn "$pkg: Possible OpenPGP signature found at:\n $upstream_url.$suffix.\n Please consider adding opts=pgpsigurlmangle=s/\$/.$suffix/\n to debian/watch. see uscan(1) for more details.\n"; + last; + } + } } if ($repack and $newfile_base =~ /^(.*)\.(tar\.bz2|tbz2?)$/) {
--- End Message ---
--- Begin Message ---Source: devscripts Source-Version: 2.14.2 We believe that the bug you reported is fixed in the latest version of devscripts, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James McCoy <[email protected]> (supplier of updated devscripts package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 11 May 2014 13:15:22 -0400 Source: devscripts Binary: devscripts Architecture: source amd64 Version: 2.14.2 Distribution: unstable Urgency: medium Maintainer: Devscripts Devel Team <[email protected]> Changed-By: James McCoy <[email protected]> Description: devscripts - scripts to make the life of a Debian Package maintainer easier Closes: 730768 732449 736798 739437 741040 743462 744320 745565 746612 Changes: devscripts (2.14.2) unstable; urgency=medium . [ Jakub Wilk ] * sadt: + Add support for @builddeps@ in tests' Depends. (Closes: #736798) . [ Benjamin Drung ] * Bump Standard-Version to 3.9.5. * Wrap long line in extended description. . [ Paul Wise ] * Use HTTPS for the buildd logs to avoid a redirect * Fix scraping of the wnpp web pages due to https links . [ Daniel Kahn Gillmor ] * uscan: check for likely upstream signatures if none are known (Closes: #732449) . [ Cyril Brulebois ] * deb-reversion: Add support for udebs. (Closes: #739437) . [ Gunnar Wolf ] * debcommit: Add switch+conf.setting allowing to specify Git to sign every single commit (Closes: #741040) . [ James McCoy ] * debcommit: Add hg and bzr support to DEBCOMMIT_SIGN_COMMITS. * mk-build-deps: Uninstall the build-dep packages if apt isn't able to complete their install. (Closes: #743462) * dpkg-depcheck: Convert relative paths to absolute before filtering, so filters properly match the path. Thanks to William King for the patch. (Closes: #744320) * debchange: + Document the default urgency is medium. Thanks to Anders Kaseorg for the patch. (Closes: #745565) + Add “binary-only=yes” to binNMU changelog stanzas. Thanks to Thorsten Glaser for the patch. (Closes: #746612) . [ Andreas Tille ] * uscan: Allow a different compression scheme when repacking upstream tarballs. (Closes: #730768) . [ Antonio Terceiro ] * debi/debc: always try ../build-area/ when the changes file is not found under ../ (even when not using svn) . [ Joachim Breitner ] * mk-origtargz: New script to rename (or symlink or copy) a downloaded upstream tarball to the correct name, possibly changing the compression scheme and removing files listed in debian/copyright's Excluded-Files. This is now also used by uscan, where most of the code comes from. Checksums-Sha1: b4a02bed3a2bae199de3436e0133be843b4aba25 2273 devscripts_2.14.2.dsc b6f2fbc3c2824f9c9f0f92672f1367fdf8dc45ef 594996 devscripts_2.14.2.tar.xz d9a2b7871b038c4b34a8f314f4acec1672df50fa 886456 devscripts_2.14.2_amd64.deb Checksums-Sha256: 905ba4e307104fd83f7bfe43f06c31ecebdcd441fd71244afa20909b91101e78 2273 devscripts_2.14.2.dsc d225d00b7f5a83c9644b3d0e3d9d763ec9cb2b362f2541f4d3ac21785c909018 594996 devscripts_2.14.2.tar.xz a4b130440049d6c3d1778a1e8793fda31a35fc33b77cd4ea024f0a1bbec28bad 886456 devscripts_2.14.2_amd64.deb Files: 463b4779401259dafb89a15e72c27f96 886456 devel optional devscripts_2.14.2_amd64.deb c1465b08a99a0c88c13febd593fbf77e 2273 devel optional devscripts_2.14.2.dsc f461aa83b46fdc1cc26e906ac31d1a62 594996 devel optional devscripts_2.14.2.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJTb8ELXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5MUJGQkY0RDY5NTZCRDVERjdCNzJEMjNE RkU2OTFBRTMzMUJBM0RCAAoJEN/mka4zG6PbDE4P/1bEtWbP4mkA7o3GZVrxwFt1 8ROmny8B0XwYh3mHjzmpkrrrfJUxgOOp4eqvRS+Bw3aykxxUNw8JaslCjt0QJJSu W2EoS6ikKS8ZAqB1XMhKSP8qG4BS0Hr+9wuuz6F4I+Qg9KSlS6IJ8g0loijY1ZjO f0Sum5l6nFUrl3Fs8+h8ZIltslV2D9Fw2YrxFvUXFrgXum0Mz7bBFEBJYfd3tQgU /x+7jjrm1eTGsJ5CJDX3m6HJczWIwmYTWaZmx+W8LNAVCzs7TgkUOjK28w4S5S2V 7kcQ9UuYLIHHYqVZsugmklkKGHC7M/cSrWIV29aGwD63l2WaNnbb/oE9S7JoQ92h A3cj9qm5Ehx2uJ8zVb2hTFqt8F+GiDeKBFeQCBv06pibamgNimB6/WEtfe5vQrUT iknb2urvMcKRBGpA01GCeOA89CzIEzhIZnMZ5eSDj+dBeAjrr1WX+sBn1/rbkrxQ RDORwrpSHz71VROrpCoGhKCyAaIzXiWyeUVorD5mhcfgmexjwCbGp9fAulZSfYcW bPpivkzZOLGjvXMLuQlMqrW1hMCrkNI7ggZ5Rzb8YsuuS9R7Na/YZqu7gjUaQSHm tdFIyY7xIFVUkkhRWwAor2wQ+dxVDwj8Ai+TU9w2l0bfjrASFqgtpKHVieNHvJSV sYawI9SviMf7NewHDuL3 =+sZi -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
