Your message dated Tue, 23 Jan 2018 22:14:19 +0900
with message-id <[email protected]>
and subject line Re: Bug#888046: devscripts: Support signatures against
uncompressed tarballs
has caused the Debian Bug report #888046,
regarding devscripts: Support signatures against uncompressed tarballs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
888046: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888046
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: devscripts
Version: 2.17.12~bpo9+1
Severity: wishlist
File: /usr/bin/uscan
There are a number of projects hosted at kernel.org that use the
kup-client utility to handle uploads. While it may upload a signature to
verify the uploaded tarballs, those signatures are against the
uncompressed tarball, rather than the compressed tarballs.
For example, for dtc version 1.4.6, there is:
https://www.kernel.org/pub/software/utils/dtc/
dtc-1.4.6.tar.gz
dtc-1.4.6.tar.sign
dtc-1.4.6.tar.xz
I can download either .tar.gz or .tar.xz, decompress them, and then use
the .tar.sign to verify it, but I don't see any obvious way to do this
From debian/watch.
I'm also not sure the Debian archive supports uploading a signature file
against a file that isn't included in the distribution, so maybe this
isn't really an issue worth handling in uscan...
live well,
vagrant
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
Not present
-- System Information:
Debian Release: 9.3
APT prefers stable
APT policy: (500, 'stable'), (210, 'proposed-updates'), (120, 'unstable'),
(1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf, arm64
Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages devscripts depends on:
ii dpkg-dev 1.18.24
ii libc6 2.24-11+deb9u1
ii libfile-homedir-perl 1.00-1
ii perl 5.24.1-3+deb9u2
ii python3 3.5.3-1
ii sensible-utils 0.0.9+deb9u1
Versions of packages devscripts recommends:
ii apt 1.4.8
ii at 3.1.20-3
ii curl 7.52.1-5+deb9u3
ii dctrl-tools 2.24-2+b1
ii debian-keyring 2017.11.24
ii dput-ng [dput] 1.13
ii equivs 2.0.9+nmu1
ii fakeroot 1.21-3.1
ii file 1:5.30-1+deb9u1
ii gnupg 2.1.18-8~deb9u1
ii gnupg2 2.1.18-8~deb9u1
ii libdistro-info-perl 0.14
ii libdpkg-perl 1.18.24
ii libencode-locale-perl 1.05-1
ii libgit-wrapper-perl 0.047-1
ii liblist-compare-perl 0.53-1
ii liblwp-protocol-https-perl 6.06-2
ii libsoap-lite-perl 1.20-1
ii liburi-perl 1.71-1
ii libwww-perl 6.15-1
ii licensecheck 3.0.29-1
ii lintian 2.5.67~bpo9+1
ii man-db 2.7.6.1-2
ii patch 2.7.5-1+b2
ii patchutils 0.3.4-2
ii python3-apt 1.4.0~beta3
ii python3-debian 0.1.30
ii python3-magic 1:5.30-1+deb9u1
ii python3-requests 2.12.4-1
pn python3-unidiff <none>
ii python3-xdg 0.25-4
ii strace 4.15-2
ii unzip 6.0-21
ii wdiff 1.2.2-2
ii wget 1.18-5+deb9u1
ii xz-utils 5.2.2-1.2+b1
Versions of packages devscripts suggests:
pn adequate <none>
ii autopkgtest 4.4
pn bls-standalone <none>
ii bsd-mailx [mailx] 8.1.2-0.20160123cvs-4
ii build-essential 12.3
pn check-all-the-things <none>
pn cvs-buildpackage <none>
pn devscripts-el <none>
pn diffoscope <none>
pn disorderfs <none>
pn dose-extra <none>
pn duck <none>
pn faketime <none>
pn gnuplot <none>
ii gpgv 2.1.18-8~deb9u1
pn how-can-i-help <none>
ii libauthen-sasl-perl 2.1600-1
ii libfile-desktopentry-perl 0.22-1
pn libnet-smtps-perl <none>
pn libterm-size-perl <none>
ii libtimedate-perl 2.3000-2
pn libyaml-syck-perl <none>
pn mozilla-devscripts <none>
ii mutt 1.7.2-1
ii openssh-client [ssh-client] 1:7.4p1-10+deb9u2
pn piuparts <none>
pn postgresql-client <none>
ii quilt 0.63-8
pn ratt <none>
pn reprotest <none>
pn svn-buildpackage <none>
ii w3m 0.5.3-34
-- no debconf information
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
control: notfound 888046 2.17.12
Hi,
In short: There is no bug. RTFM-situation.
I am in a good mood to do my user support duty :-) So let me show.
On Mon, Jan 22, 2018 at 01:24:20PM -0800, Vagrant Cascadian wrote:
> Package: devscripts
> Version: 2.17.12~bpo9+1
With or without bpo, you have relatively recent version. So you
shouldn't have problem.
> Severity: wishlist
> File: /usr/bin/uscan
> There are a number of projects hosted at kernel.org that use the
> kup-client utility to handle uploads. While it may upload a signature to
> verify the uploaded tarballs, those signatures are against the
> uncompressed tarball, rather than the compressed tarballs.
>
> For example, for dtc version 1.4.6, there is:
>
> https://www.kernel.org/pub/software/utils/dtc/
>
> dtc-1.4.6.tar.gz
> dtc-1.4.6.tar.sign
> dtc-1.4.6.tar.xz
>
> I can download either .tar.gz or .tar.xz, decompress them, and then use
> the .tar.sign to verify it, but I don't see any obvious way to do this
> From debian/watch.
The obvious way is to read the manpage of uscan. ... many ways but
something along
version=4
opts="pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%" \
https://www.kernel.org/pub/software/utils/dtc/ \
@PACKAGE@@ANY_VERSION@@ARCHIVE_EXT@ \
debian uupdate
This assumes your source package name is "dtc".
@ARCHIVE_EXT@ may be used in place for \.tar\.xz
I tried on a dummy package tree with version="0~0.0-1" in changelog.
$ uscan --verbose
uscan info: The directory to store downloaded files($destdir): ..
uscan info: uscan (version 2.18.1) See uscan(1) for help
uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: package="dtc" version="0~0.0-1" (as seen in debian/changelog)
uscan info: package="dtc" version="0~0.0" (no epoch/revision)
uscan info: ./debian/changelog sets package="dtc" version="0~0.0"
uscan info: Process watch file at: debian/watch
package = dtc
version = 0~0.0
pkg_dir = .
uscan info: opts: pgpmode=mangle, pgpsigurlmangle=s%tar\..z$%tar\.sign%
uscan info: line: https://www.kernel.org/pub/software/utils/dtc/
dtc[-_]?(\d[\-+\.:\~\da-zA-Z]*)(?i)\.(?:tar\.xz|tar\.bz2|tar\.gz|zip) debian
uupdate
uscan info: Parsing pgpmode=mangle
uscan info: Parsing pgpsigurlmangle=s%tar\..z$%tar\.sign%
uscan info: line: https://www.kernel.org/pub/software/utils/dtc/
dtc[-_]?(\d[\-+\.:\~\da-zA-Z]*)(?i)\.(?:tar\.xz|tar\.bz2|tar\.gz|zip) debian
uupdate
uscan info: Last orig.tar.* tarball version (from debian/changelog): 0~0.0
uscan info: Last orig.tar.* tarball version (dversionmangled): 0~0.0
uscan info: Requesting URL:
https://www.kernel.org/pub/software/utils/dtc/
uscan info: Matching pattern:
(?:(?:https://www.kernel.org)?\/pub\/software\/utils\/dtc\/)?dtc[-_]?(\d[\-+\.:\~\da-zA-Z]*)(?i)\.(?:tar\.xz|tar\.bz2|tar\.gz|zip)
uscan info: Found the following matching hrefs on the web page (newest first):
dtc-1.4.6.tar.xz (1.4.6) index=1.4.6-4
dtc-1.4.6.tar.gz (1.4.6) index=1.4.6-1
dtc-1.4.5.tar.xz (1.4.5) index=1.4.5-4
dtc-1.4.5.tar.gz (1.4.5) index=1.4.5-1
dtc-1.4.4.tar.xz (1.4.4) index=1.4.4-4
dtc-1.4.4.tar.gz (1.4.4) index=1.4.4-1
dtc-1.4.3.tar.xz (1.4.3) index=1.4.3-4
dtc-1.4.3.tar.gz (1.4.3) index=1.4.3-1
dtc-1.4.2.tar.xz (1.4.2) index=1.4.2-4
dtc-1.4.2.tar.gz (1.4.2) index=1.4.2-1
dtc-1.4.1.tar.xz (1.4.1) index=1.4.1-4
dtc-1.4.1.tar.gz (1.4.1) index=1.4.1-1
dtc-1.4.0.tar.xz (1.4.0) index=1.4.0-4
dtc-1.4.0.tar.gz (1.4.0) index=1.4.0-1
dtc-1.3.0.tar.xz (1.3.0) index=1.3.0-4
dtc-1.3.0.tar.gz (1.3.0) index=1.3.0-1
dtc-1.2.0-rc2.tar.xz (1.2.0-rc2) index=1.2.0-rc2-4
dtc-1.2.0-rc2.tar.gz (1.2.0-rc2) index=1.2.0-rc2-1
dtc-1.2.0-rc1.tar.xz (1.2.0-rc1) index=1.2.0-rc1-4
dtc-1.2.0-rc1.tar.gz (1.2.0-rc1) index=1.2.0-rc1-1
dtc-1.2.0.tar.xz (1.2.0) index=1.2.0-4
dtc-1.2.0.tar.gz (1.2.0) index=1.2.0-1
dtc-1.1.0-rc1.tar.xz (1.1.0-rc1) index=1.1.0-rc1-4
dtc-1.1.0-rc1.tar.gz (1.1.0-rc1) index=1.1.0-rc1-1
dtc-1.1.0.tar.xz (1.1.0) index=1.1.0-4
dtc-1.1.0.tar.gz (1.1.0) index=1.1.0-1
dtc-1.0.0-rc1.tar.xz (1.0.0-rc1) index=1.0.0-rc1-4
dtc-1.0.0-rc1.tar.gz (1.0.0-rc1) index=1.0.0-rc1-1
dtc-1.0.0.tar.xz (1.0.0) index=1.0.0-4
dtc-1.0.0.tar.gz (1.0.0) index=1.0.0-1
uscan info: Looking at $base = https://www.kernel.org/pub/software/utils/dtc/
with
$filepattern =
dtc[-_]?(\d[\-+\.:\~\da-zA-Z]*)(?i)\.(?:tar\.xz|tar\.bz2|tar\.gz|zip) found
$newfile = dtc-1.4.6.tar.xz
$newversion = 1.4.6 which is newer than
$lastversion = 0~0.0
uscan info: Matching target for downloadurlmangle:
https://www.kernel.org/pub/software/utils/dtc/dtc-1.4.6.tar.xz
uscan info: Upstream URL(+tag) to download is identified as
https://www.kernel.org/pub/software/utils/dtc/dtc-1.4.6.tar.xz
uscan info: Filename (filenamemangled) for downloaded file: dtc-1.4.6.tar.xz
uscan: Newest version of dtc on remote site is 1.4.6, local version is 0~0.0
uscan: => Newer package available from
https://www.kernel.org/pub/software/utils/dtc/dtc-1.4.6.tar.xz
uscan info: Downloading upstream package: dtc-1.4.6.tar.xz
uscan info: Requesting URL:
https://www.kernel.org/pub/software/utils/dtc/dtc-1.4.6.tar.xz
uscan info: Successfully downloaded package: dtc-1.4.6.tar.xz
uscan info: Downloading OpenPGP signature from
https://www.kernel.org/pub/software/utils/dtc/dtc-1.4.6.tar.sign
(pgpsigurlmangled)
as dtc-1.4.6.tar.xz.n
uscan info: Requesting URL:
https://www.kernel.org/pub/software/utils/dtc/dtc-1.4.6.tar.sign
uscan die: FAIL Checking OpenPGP signature (no keyring).
(Of course it fails here since I didn't bother to add keyring.)
(xz is preferred over gz as written in manpage)
I think uscan works now for your need. Please read the manual thoroughly.
Actual version of uscan is a bit ahead of published version but the
older one should be the same.
> I'm also not sure the Debian archive supports uploading a signature file
> against a file that isn't included in the distribution, so maybe this
> isn't really an issue worth handling in uscan...
That is not a uscan bug. I as the primary uscan committer want to hear
your experience. Did you try? If you find out the answer, please let
me know what shall be done.
Osamu
--- End Message ---
_______________________________________________
devscripts-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
