Bug#964971: lintian: please consider new check: expired keys in debian/upstream/signing-key.asc

Hello, On Wed, Mar 24, 2021 at 09:59:59AM +0100, Christoph Biedl wrote: > Felix Lechner wrote... > > > By the way, the suggestion behind this bug may not be implemented > > anytime soon. It would cause Lintian's output to change over time > > (same Lintian version on same package). Such tags are

Bug#964971: lintian: please consider new check: expired keys in debian/upstream/signing-key.asc

Good morning Felix, Felix Lechner wrote on Tue, Mar 23, 2021 at 14:16:26 -0700: > Hi Daniel, > > On Mon, Jul 13, 2020 at 8:27 AM Daniel Shahaf wrote: > > > > a debian/upstream/signing-key.asc file > > which contains an expired snapshot of upstream's signing key > > Did uscan give you any

Bug#964971: lintian: please consider new check: expired keys in debian/upstream/signing-key.asc

Hi Christoph, On Wed, Mar 24, 2021 at 2:00 AM Christoph Biedl wrote: > > But that's your design decision. No, it's an indicator that another QA tool might be a better place for the warning. > Other people's workflow might be different, though. Everyone with a key uses 'uscan', and that is the

Bug#964971: lintian: please consider new check: expired keys in debian/upstream/signing-key.asc

Felix Lechner wrote... > By the way, the suggestion behind this bug may not be implemented > anytime soon. It would cause Lintian's output to change over time > (same Lintian version on same package). Such tags are hard to test in > Lintian's test suite. That argument seems fairly weird to me:

Bug#964971: lintian: please consider new check: expired keys in debian/upstream/signing-key.asc

Hi Christoph, On Tue, Mar 23, 2021 at 2:23 PM Christoph Biedl wrote: > > gpgv: Can't check signature: No public key That makes sense. I had a similar issue with wolfssl. Version 4.6.0-3 in unstable still contains the expired public key, but the validation worked previously. As this open

Bug#964971: lintian: please consider new check: expired keys in debian/upstream/signing-key.asc

Felix Lechner wrote... > Did uscan give you any trouble when trying to validate upstream's > release signature? Try libgpg-error before #985793 gets fixed: uscan: Newest version of libgpg-error on remote site is 1.42, local version is 1.38 uscan: => Newer package available from:

Bug#964971: lintian: please consider new check: expired keys in debian/upstream/signing-key.asc

Hi Daniel, On Mon, Jul 13, 2020 at 8:27 AM Daniel Shahaf wrote: > > a debian/upstream/signing-key.asc file > which contains an expired snapshot of upstream's signing key Did uscan give you any trouble when trying to validate upstream's release signature? Kind regards Felix Lechner

Bug#964971: lintian: please consider new check: expired keys in debian/upstream/signing-key.asc

Axel Beckert wrote... > That might be something for lintian-brush once a lintian check is > there. Cc'ing Jelmer, the author of lintian-brush. What's the status of that story? I hacked a few lines together that work at least for the case where I encountered the problem. But it's fairly fragile

Bug#964971: lintian: please consider new check: expired keys in debian/upstream/signing-key.asc

Hi, Daniel Shahaf wrote: > After extending the key I re-pushed it to keyservers, but did not > regenerate the d/u/signing-key.asc export. (I'd like to automate > that regeneration, since my key appears in multiple packages' > signing-key.asc files, but that's a question for another thread.) That

Bug#964971: lintian: please consider new check: expired keys in debian/upstream/signing-key.asc

Package: lintian Version: 2.83.0 Severity: wishlist Tags: upstream Dear Maintainer, I noticed yesterday that the current source package of zsh-syntax-highlighting contains a debian/upstream/signing-key.asc file which contains an expired snapshot of upstream's signing key: the snapshot gives the