Package: devscripts
Version: 2.13.8
Severity: normal
Tags: patch
now that pgpsigurlmangle is available, it would be nice to remind
package maintainers if upstream is offering something that looks like
a cryptographic signature.
the attached patch implements such a check.
--dkg
-- Package-specific info:
--- /etc/devscripts.conf ---
--- ~/.devscripts ---
Not present
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages devscripts depends on:
ii dpkg-dev 1.16.12
ii libc6 2.17-97
ii perl 5.18.1-5
ii python3 3.3.2-17
pn python3:any <none>
Versions of packages devscripts recommends:
ii at 3.1.14-1
ii curl 7.33.0-1
ii dctrl-tools 2.23
ii debian-keyring 2013.12.13
ii dput-ng [dput] 1.7
ii dupload 2.7.0
pn equivs <none>
ii fakeroot 1.18.4-2
ii gnupg 1.4.15-1.1
ii libdistro-info-perl 0.11
ii libencode-locale-perl 1.03-1
ii libjson-perl 2.61-1
ii liblwp-protocol-https-perl 6.04-2
ii libparse-debcontrol-perl 2.005-4
pn libsoap-lite-perl <none>
ii liburi-perl 1.60-1
ii libwww-perl 6.05-2
ii lintian 2.5.20
ii man-db 2.6.5-2
ii patch 2.7.1-4
ii patchutils 0.3.2-3
ii python3-debian 0.1.21+nmu2
pn python3-magic <none>
ii sensible-utils 0.0.9
ii strace 4.5.20-2.3
ii unzip 6.0-10
ii wdiff 1.2.1-1
ii wget 1.14-5
ii xz-utils 5.1.1alpha+20120614-2
Versions of packages devscripts suggests:
ii build-essential 11.6
pn cvs-buildpackage <none>
ii devscripts-el 35.8
pn gnuplot <none>
ii gpgv 1.4.15-1.1
ii heirloom-mailx [mailx] 12.5-2
pn libauthen-sasl-perl <none>
pn libfile-desktopentry-perl <none>
ii libnet-smtp-ssl-perl 1.01-3
pn libterm-size-perl <none>
ii libtimedate-perl 2.3000-1
pn libyaml-syck-perl <none>
ii mailutils [mailx] 1:2.99.98-1.1
pn mutt <none>
ii openssh-client [ssh-client] 1:6.4p1-1
ii svn-buildpackage 0.8.5
pn w3m <none>
-- debconf-show failed
commit 20a435df7093fb0048bf6471e9ca6f3fc17ee3b6
Author: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Date: Wed Dec 18 02:21:50 2013 -0500
uscan checks for likely upstream signatures if none are known
uscan tries to fetch the usual suffixes (.asc, .gpg, .pgp, .sig)
appended to the tarball URL to see if we can find a likely-looking
cryptographic signature.
If one is found, we suggest that the package maintainer to investigate
it and encourage them set up future checks.
diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index 0ffe9f2..6cdce00 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -1412,6 +1412,16 @@ EOF
'--keyring', 'debian/upstream-signing-key.pgp',
"$destdir/$newfile_base.pgp", "$destdir/$newfile_base") >> 8 == 0
or uscan_die("$progname warning: OpenPGP signature did not verify.\n");
+ } else {
+ print "-- Checking for common possible upsteam OpenPGP signatures\n" if $verbose;
+ foreach my $suffix (qw(asc gpg pgp sig)) {
+ my $sigrequest = HTTP::Request->new('GET' => "$upstream_url.$suffix");
+ my $sigresponse = $user_agent->request($sigrequest);
+ if ($sigresponse->is_success()) {
+ uscan_warn "$pkg: Possible OpenPGP signature found at:\n $upstream_url.$suffix.\n Please consider adding opts=pgpsigurlmangle=s/\$/.$suffix/\n to debian/watch. see uscan(1) for more details.\n";
+ last;
+ }
+ }
}
if ($repack and $newfile_base =~ /^(.*)\.(tar\.bz2|tbz2?)$/) {
