Re: debian/upstream/signing-key.asc in policy 4.1.0

2017-08-28 Thread Osamu Aoki 
Hi,

On Sun, Aug 27, 2017 at 08:51:49PM -0300, Henrique de Moraes Holschuh wrote:
> On Wed, 23 Aug 2017, Russ Allbery wrote:
> > Note that this Policy language is carefully written to make it perfectly
> > fine for uscan to support all the things it currently supports, since it
> > only talks about what Policy recommends the maintainer does.  So don't
> > feel any obligation to change what uscan is doing on Policy's account
> > here.
> 
> Actually, the text in 4.1.0.0 might be doing too much.  It reads:
> 
> "If the upstream maintainer of the software provides OpenPGP signatures
> for new releases, including the information required for "uscan" to
> verify signatures for new upstream releases is also recommended. To do
> this, use the "pgpsigurlmangle" option in "debian/watch" to specify
> the location of the upstream signature, and include the key or keys
> used to sign upstream releases in the Debian source package as
> "debian/upstream/signing-key.asc".
> 
> IMO, it should either not be mandating uscan internals, or it should be

In principle, you comment is a very reasonable one.

> very clear about the exact subset of stuff we can use in debian/watch
> (version, etc).  For example, I'd rather use opt="..., pgpmode=auto,..."
> instead of explicitly hardcoding a "pgpsigurlmangle".

The new pgpmode=auto and pgpmode=previous have bugs and fail to function
smoothly ---  #873289 #852537  Excuse me for these bugs.  The fixes have
been committed to git.  I am hoping the next upload of devscripts (and
its backport) will fix them.  So "pgpsigurlmangle" is the only good way
at this moment.
 
> IMHO, just drop everything from "To do this..." to the end of that
> paragraph entirely.  HOW one gets "uscan" to fetch and check upstream
> signatures is a job for the uscan(1) manpage.  Alternatively, just
> mention "debian/watch", and to refer to the uscan documentation in
> package "devscripts".

Once pgpmode=auto becomes noise free, this should be the preferred
choice.  It will be nice to address #833012, too, using s/\?/.asc?/ etc.
to make it really default one.

So for now, the policy text is better for me.

> OTOH, if we really need to mandate a specific level of debian/watch
> support, the current text in policy needs work: it doesn't even tell me
> whether I can use version=3 (supported in oldstable), or version=4
> (supported in oldstable-backports and stable), for example...

The uscan version=3/version=4 difference is not much about enhanced
mangling rules.  It's about how uupdate is invoked and how uupdate
creates the updated source tree.  version=4 uses dpkg-source as back-end
and capable of generating multi-upstream tarball.

If you use new uscan, even with a watch file marked as version=3, it has
access to the enhanced mangling rules.

Osamu

Re: debian/upstream/signing-key.asc in policy 4.1.0

2017-08-27 Thread Henrique de Moraes Holschuh 
On Wed, 23 Aug 2017, Russ Allbery wrote:
> Note that this Policy language is carefully written to make it perfectly
> fine for uscan to support all the things it currently supports, since it
> only talks about what Policy recommends the maintainer does.  So don't
> feel any obligation to change what uscan is doing on Policy's account
> here.

Actually, the text in 4.1.0.0 might be doing too much.  It reads:

"If the upstream maintainer of the software provides OpenPGP signatures
for new releases, including the information required for "uscan" to
verify signatures for new upstream releases is also recommended. To do
this, use the "pgpsigurlmangle" option in "debian/watch" to specify
the location of the upstream signature, and include the key or keys
used to sign upstream releases in the Debian source package as
"debian/upstream/signing-key.asc".

IMO, it should either not be mandating uscan internals, or it should be
very clear about the exact subset of stuff we can use in debian/watch
(version, etc).  For example, I'd rather use opt="..., pgpmode=auto,..."
instead of explicitly hardcoding a "pgpsigurlmangle".

IMHO, just drop everything from "To do this..." to the end of that
paragraph entirely.  HOW one gets "uscan" to fetch and check upstream
signatures is a job for the uscan(1) manpage.  Alternatively, just
mention "debian/watch", and to refer to the uscan documentation in
package "devscripts".

OTOH, if we really need to mandate a specific level of debian/watch
support, the current text in policy needs work: it doesn't even tell me
whether I can use version=3 (supported in oldstable), or version=4
(supported in oldstable-backports and stable), for example...

-- 
  Henrique Holschuh

Re: debian/upstream/signing-key.asc in policy 4.1.0

2017-08-27 Thread Osamu Aoki 
Oops.

On Sun, Aug 27, 2017 at 12:55:26AM +0900, Osamu Aoki wrote:
> Hi,
> 
> On Wed, Aug 23, 2017 at 09:27:25AM -0700, Russ Allbery wrote:
> > Osamu Aoki  writes:
> > > The updated uscan will support debian/upstream/signing-key.asc only and
> > > internally convert it /signing-key.gpg.  I will make uscan to
> > > convert other formats to this policy compliant *.asc.  Also make noise
> > > to the maintainer to push them to policy 4.1.0
> > 
> > Note that this Policy language is carefully written to make it perfectly
> > fine for uscan to support all the things it currently supports, since it
> > only talks about what Policy recommends the maintainer does.  So don't
> > feel any obligation to change what uscan is doing on Policy's account
> > here.
> 
> Maybe I should have been a bit careful with my words:
> 
> The updated uscan will support debian/upstream/signing-key.asc only as
> the recommended keyring.  It will accept other historic keyrings but
> also internally converts them to /signing-key.gpg to guide

Of course:
  /signing-key.asc

> people to the new recommended format with some reminder noise.

Now committed to git.

Osamu

Re: debian/upstream/signing-key.asc in policy 4.1.0

2017-08-26 Thread Osamu Aoki 
Hi,

On Wed, Aug 23, 2017 at 09:27:25AM -0700, Russ Allbery wrote:
> Osamu Aoki  writes:
> > The updated uscan will support debian/upstream/signing-key.asc only and
> > internally convert it /signing-key.gpg.  I will make uscan to
> > convert other formats to this policy compliant *.asc.  Also make noise
> > to the maintainer to push them to policy 4.1.0
> 
> Note that this Policy language is carefully written to make it perfectly
> fine for uscan to support all the things it currently supports, since it
> only talks about what Policy recommends the maintainer does.  So don't
> feel any obligation to change what uscan is doing on Policy's account
> here.

Maybe I should have been a bit careful with my words:

The updated uscan will support debian/upstream/signing-key.asc only as
the recommended keyring.  It will accept other historic keyrings but
also internally converts them to /signing-key.gpg to guide
people to the new recommended format with some reminder noise.

> That said, as discussed elsewhere, I'm a huge fan of there being only one
> way to do something like this, with some easy tools to convert other
> methods into that one method.  It reduces everyone's cognitive load in the
> future.

Yes.

Osamu

Re: debian/upstream/signing-key.asc in policy 4.1.0

2017-08-23 Thread Russ Allbery 
Osamu Aoki  writes:

> After all the discussion, Policy 4.1.0 goes as:

> | 4.11. Optional upstream source location: debian/watch¶
> | 
> | This is an optional, recommended configuration file for the uscan
> | utility which defines how to automatically scan ftp or http sites for
> | newly available updates of the package. This is also used by some Debian
> | QA tools to help with quality control and maintenance of the
> | distribution as a whole.
> | 
> | If the upstream maintainer of the software provides OpenPGP signatures
> | for new releases, including the information required for uscan to verify
> | signatures for new upstream releases is also recommended. To do this,
> | use the pgpsigurlmangle option in debian/watch to specify the location
> | of the upstream signature, and include the key or keys used to sign
> | upstream releases in the Debian source package as
> | debian/upstream/signing-key.asc.
> | 
> | For more information about uscan and these options, including how to
> | generate the file containing upstream signing keys, see uscan.

> Please note few things which I failed to share:

> The current uscan supports both 
>  debian/upstream/signing-key.asc
>  debian/upstream/signing-key.pgp

> Now, if debian/upstream/signing-key.asc is used, uscan converts it to
> /signing-key.gpg by gpg for use with gpgv to check signature.
> (I think the same goes with dpkg-source).  It looks extra CPU power
> waste but not a big deal. I do this conversion since no documentation
> mention keyring can be ascii armored for gpgv.

> The updated uscan will support debian/upstream/signing-key.asc only and
> internally convert it /signing-key.gpg.  I will make uscan to
> convert other formats to this policy compliant *.asc.  Also make noise
> to the maintainer to push them to policy 4.1.0

Note that this Policy language is carefully written to make it perfectly
fine for uscan to support all the things it currently supports, since it
only talks about what Policy recommends the maintainer does.  So don't
feel any obligation to change what uscan is doing on Policy's account
here.

That said, as discussed elsewhere, I'm a huge fan of there being only one
way to do something like this, with some easy tools to convert other
methods into that one method.  It reduces everyone's cognitive load in the
future.

-- 
Russ Allbery (r...@debian.org)