On Sat, 17 Oct 2015 19:12:55 +0900 Osamu Aoki wrote: > As for the idea of chk-origtgz, the new uscan and uupdate combination > record hush of the original tarball before repacked to orig.tar.gz. > This may be used by the chk-origtgz you are thinking...
Stuart Prescott and I wrote the attached sketch of concept for chk-origtgz. Unfortunately it doesn't work because uscan --safe doesn't repack the tarball nor write the tarball to the same filename as what the usual orig.tar.gz is called, but only what the upstream tarball is called. Please note that it verifies the old tarball against the old gpg sigs, but uscan does not yet store the old signatures in debian/ (#727096). So this will need a way to make uscan do everything (including signature checks, repacking etc) except running uupdate or other code from debian/watch and debian/copyright, since running code from the debian/watch file could cause security issues for DDs who want to check tarballs when sponsoring packages. I dropped tardiff since it didn't seem very reliable for the simple test cases that I constructed. -- bye, pabs https://wiki.debian.org/PaulWise
chk-origtargz
Description: application/shellscript
signature.asc
Description: This is a digitally signed message part
_______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
