Bug#833012: uscan: don't look for OpenPGP signatures by appending .asc to a query string
I think I ran into this bug today. https://gitlab.gnome.org/cheywood/iotas and https://gitlab.gnome.org/World/Shortwave only publish unsigned tarballs. uscan thinks there is a .asc file present though: ``` ... uscan info: Not downloading, using existing file: iotas-0.1.16.tar.bz2 uscan info: Start checking for common possible upstream OpenPGP signature files uscan warn: Possible OpenPGP signature found at: https://gitlab.gnome.org/cheywood/iotas/-/archive/0.1.16/iotas-0.1.16.tar.bz2.asc * Add opts=pgpsigurlmangle=s/$/.asc/ or opts=pgpmode=auto to debian/watch * Add debian/upstream/signing-key.asc. See uscan(1) for more details uscan info: End checking for common possible upstream OpenPGP signature files uscan info: Missing OpenPGP signature. uscan info: New orig.tar.* tarball version (oversionmangled): 0.1.16 ... ``` The asc leads to a 404 (when being logged in to GNOME gitlab) and the login page otherwise. These are the only two cases where I had this bug (note that I do maintain a few other packages hosted at GNOMES GL instance). regards, werdahias OpenPGP_0x18BD106B3B6C5475.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Bug#833012: uscan: don't look for OpenPGP signatures by appending .asc to a query string
Hi, On Sat, Jul 30, 2016 at 02:01:51PM -0700, Sean Whitton wrote: > Package: devscripts > Version: 2.16.6 > Severity: normal > > Dear maintainers, > > uscan tries appending .asc to the tarball download URI. If that returns > HTTP 200, it will say something like this: > > > uscan warn: Possible OpenPGP signature found at: > > > > https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history.asc. > >Please consider adding opts=pgpsigurlmangle=s/$/.asc/ > >to debian/watch. see uscan(1) for more details. > > However, as can be seen from this example, uscan has appended .asc to > the query string i.e. the part of the URI after the final '?' > character. Yes. > It is highly unlikely that this will ever be a real > signature file. In this case, huristics does not work. > uscan should, in this kind of case, try the following URI: > > > https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi.asc?src=version-history The upstream tarball filename is normally found by taking the last component of the URL and removing everything after any '?' or '#'. Problem is that some query strings contain upstream archive name after ? Use of pgpsigurlmangle is one way to avoid this problem. But let me think if there is a bit more reasonable huristics with least complication. Osamu > i.e. append the .asc to the part of the URI before the query string. Yah... Osamu
Bug#833012: uscan: don't look for OpenPGP signatures by appending .asc to a query string
Package: devscripts Version: 2.16.6 Severity: normal Dear maintainers, uscan tries appending .asc to the tarball download URI. If that returns HTTP 200, it will say something like this: > uscan warn: Possible OpenPGP signature found at: > > https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history.asc. >Please consider adding opts=pgpsigurlmangle=s/$/.asc/ >to debian/watch. see uscan(1) for more details. However, as can be seen from this example, uscan has appended .asc to the query string i.e. the part of the URI after the final '?' character. It is highly unlikely that this will ever be a real signature file. uscan should, in this kind of case, try the following URI: https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi.asc?src=version-history i.e. append the .asc to the part of the URI before the query string. Thanks! -- Package-specific info: --- /etc/devscripts.conf --- --- ~/.devscripts --- DEBCHANGE_FORCE_SAVE_ON_RELEASE=no DEBRELEASE_UPLOADER=dput DEBSIGN_KEYID=0x0F56D0553B6D411B DEB_SIGN_KEYID=0x0F56D0553B6D411B DEBSIGN_PROGRAM=gpg RMADISON_DEFAULT_URL=debian,ubuntu DSCVERIFY_KEYRINGS=~/.gnupg/pubring.gpg DEBUILD_DPKG_BUILDPACKAGE_OPTS="-us -uc" -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (900, 'testing') Architecture: i386 (i686) Kernel: Linux 4.5.0-2-686-pae (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages devscripts depends on: ii dpkg-dev 1.18.9 ii libc62.23-2 ii perl 5.22.2-3 pn python3:any Versions of packages devscripts recommends: ii apt 1.3~pre2 ii at 3.1.20-1 ii curl7.47.0-1 ii dctrl-tools 2.24-2 ii debian-keyring 2016.07.02 ii dput0.9.6.4 ii equivs 2.0.9+nmu1 ii fakeroot1.21-1 ii file1:5.28-2 ii gnupg 1.4.20-6 ii gnupg2 2.1.11-7 ii libdistro-info-perl 0.14 ii libencode-locale-perl 1.05-1 ii liblwp-protocol-https-perl 6.06-2 ii libsoap-lite-perl 1.20-1 ii liburi-perl 1.71-1 ii libwww-perl 6.15-1 ii licensecheck3.0.1-1 ii lintian 2.5.45 ii man-db 2.7.5-1 ii patch 2.7.5-1 ii patchutils 0.3.4-1 ii python3-debian 0.1.28 ii python3-magic 1:5.28-2 ii sensible-utils 0.0.9 ii strace 4.12-3 ii unzip 6.0-20 ii wdiff 1.2.2-1+b1 ii wget1.18-2 ii xz-utils5.1.1alpha+20120614-2.1 Versions of packages devscripts suggests: pn bsd-mailx | mailx ii build-essential 12.2 pn cvs-buildpackage pn devscripts-el pn diffoscope pn dose-extra pn gnuplot ii gpgv 1.4.20-6 ii libauthen-sasl-perl 2.1600-1 ii libfile-desktopentry-perl0.22-1 ii libnet-smtp-ssl-perl 1.03-1 pn libterm-size-perl ii libtimedate-perl 2.3000-2 pn libyaml-syck-perl ii mozilla-devscripts 0.47 ii mutt 1.6.0-1 ii openssh-client [ssh-client] 1:7.2p2-7 ii svn-buildpackage 0.8.6 ii w3m 0.5.3-29 -- no debconf information -- Sean Whitton signature.asc Description: PGP signature