Bug#856128: debian-watch-may-check-gpg-signature: false positives
Mattia Rizzolo wrote: > Yes, if upstream does not publish gpg signatures, you are stuck with > that tag. You may override it if you wish so (I personally wouldn't), > but the idea is that you should talk with upstream and "convince" him to > start doing so. Martin-Éric, does this resolve your query? If so, please go ahead and close this bug. Thanks! Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#856128: debian-watch-may-check-gpg-signature: false positives
On Sun, Feb 26, 2017 at 01:13:47PM +0200, Martin-Éric Racine wrote: > No, it does not. Adding a pgpurlmangle option won't magically make > upstream produce GPG signatures. Oh, sorry, I misread your first email, reading that your upstream does provide signatures, and even with that lintian was nagging you. Yes, if upstream does not publish gpg signatures, you are stuck with that tag. You may override it if you wish so (I personally wouldn't), but the idea is that you should talk with upstream and "convince" him to start doing so. > However, upstream does publish foo.tar.gz.md5 checksums. MD5 is useless and is nearly as good nothing for integrity checking. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Bug#856128: debian-watch-may-check-gpg-signature: false positives
2017-02-26 12:07 GMT+02:00 Mattia Rizzolo : > Control: tag -1 moreinfo > > On Sat, Feb 25, 2017 at 01:04:54PM +, Martin-Éric Racine wrote: >> It appears that debian-watch-may-check-gpg-signature generates false >> positives. >> >> On src:cups-pdf Lintian reports debian-watch-may-check-gpg-signature >> yet upstream does not publish any GPG signature. However, upstream >> does publish foo.tar.gz.md5 checksums. > > lintian has no knowledge, nor has any way to know that a given upstream > publish gpg signatures… On what basis does it report the error then? > the problem is that your watch file does not check for a gpg signature, > exactly as the tag says. And as the tag description says: It does not check for it because upstream does not provide any. > N: If upstream distributions provide such signatures, please use the > N: pgpsigurlmangle options in this watch file's opts= to generate the URL > N: of an upstream GPG signature. This signature is automatically > N: downloaded and verified against a keyring stored in > N: debian/upstream/signing-key.asc. > > > (instead of pgpsigurlmangle you can use pgpmode=auto if uscan is clever > enough for this case) > > > does this solve your issue? No, it does not. Adding a pgpurlmangle option won't magically make upstream produce GPG signatures. Martin-Éric
Bug#856128: debian-watch-may-check-gpg-signature: false positives
Control: tag -1 moreinfo On Sat, Feb 25, 2017 at 01:04:54PM +, Martin-Éric Racine wrote: > It appears that debian-watch-may-check-gpg-signature generates false > positives. > > On src:cups-pdf Lintian reports debian-watch-may-check-gpg-signature > yet upstream does not publish any GPG signature. However, upstream > does publish foo.tar.gz.md5 checksums. lintian has no knowledge, nor has any way to know that a given upstream publish gpg signatures… > By the looks of it, debian-watch-may-check-gpg-signature checks for > the presence of foo.tar.gz.* and reports a positive regardless of > whether * indeed is a GPG signature or not. How do you infer that? I find the relevant code pretty clear: |$withgpgverification = 1 | if /^pgpsigurlmangle\s*=\s*/; |$withgpgverification = 1 | if /^pgpmode\s*=\s*(?!none\s*$)\S.*$/; | |tag 'debian-watch-may-check-gpg-signature' unless ($withgpgverification); the problem is that your watch file does not check for a gpg signature, exactly as the tag says. And as the tag description says: N: If upstream distributions provide such signatures, please use the N: pgpsigurlmangle options in this watch file's opts= to generate the URL N: of an upstream GPG signature. This signature is automatically N: downloaded and verified against a keyring stored in N: debian/upstream/signing-key.asc. (instead of pgpsigurlmangle you can use pgpmode=auto if uscan is clever enough for this case) does this solve your issue? -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Bug#856128: debian-watch-may-check-gpg-signature: false positives
Package: lintian Version: 2.5.50.1 Severity: normal It appears that debian-watch-may-check-gpg-signature generates false positives. On src:cups-pdf Lintian reports debian-watch-may-check-gpg-signature yet upstream does not publish any GPG signature. However, upstream does publish foo.tar.gz.md5 checksums. By the looks of it, debian-watch-may-check-gpg-signature checks for the presence of foo.tar.gz.* and reports a positive regardless of whether * indeed is a GPG signature or not. -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (800, 'unstable') Architecture: i386 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages lintian depends on: ii binutils 2.27.90.20170221-1 ii bzip2 1.0.6-8.1 ii diffstat 1.61-1 ii file 1:5.29-3 ii gettext 0.19.8.1-2 ii intltool-debian 0.35.0+20060710.4 ii libapt-pkg-perl 0.1.30 ii libarchive-zip-perl 1.59-1 ii libclass-accessor-perl0.34-1 ii libclone-perl 0.38-2+b1 ii libdpkg-perl 1.18.22 ii libemail-valid-perl 1.202-1 ii libfile-basedir-perl 0.07-1 ii libipc-run-perl 0.94-1 ii liblist-moreutils-perl0.416-1+b1 ii libparse-debianchangelog-perl 1.2.0-12 ii libperl5.24 [libdigest-sha-perl] 5.24.1-1 ii libtext-levenshtein-perl 0.13-1 ii libtimedate-perl 2.3000-2 ii liburi-perl 1.71-1 ii libyaml-libyaml-perl 0.63-2 ii man-db2.7.6.1-2 ii patchutils0.3.4-2 ii perl 5.24.1-1 ii t1utils 1.39-2 ii xz-utils 5.2.2-1.2 Versions of packages lintian recommends: ii dpkg 1.18.22 ii libperlio-gzip-perl 0.19-1+b2 ii perl 5.24.1-1 ii perl-modules-5.24 [libautodie-perl] 5.24.1-1 Versions of packages lintian suggests: pn binutils-multiarch ii dpkg-dev 1.18.22 ii libhtml-parser-perl3.72-3 pn libtext-template-perl -- no debconf information