On Sun, December 15, 2013 19:44, Daniel Kahn Gillmor wrote: > On 12/13/2013 03:33 AM, Thijs Kinkhorst wrote: >> Well, the idea of making it invalid was to see if the download would >> actually fail on that. > > uscan should fail (return non-zero) if pgpsigmangleurl is present and > anything prevents full validation of the upstream source.
OK, I gave it another try. Firstly, it seems like the watch file in this bug accidentally drops the required "pasv" option. When I re-add that, the downloading of the orig.tar.gz works again, but the downloading of the signature fails. Does that code not use the pasv option? $ uscan --verbose -- Scanning for watchfiles in . -- Found watchfile in ./debian -- In debian/watch, processing watchfile line: opts="pasv,pgpsigurlmangle=s/$/.sig/" http://gnupg.org/download/ .*/gnupg-(1\..*)\.tar\.gz -- Found the following matching hrefs: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.16.tar.gz (1.4.16) Newest version on remote site is 1.4.16, local version is 1.4.15 => Newer version available from ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.16.tar.gz -- Downloading updated package gnupg-1.4.16.tar.gz -- Downloading OpenPGP signature for package as gnupg-1.4.16.tar.gz.pgp uscan warning: In directory ., downloading OpenPGP signature ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.16.tar.gz failed: 400 FTP return code 150 Also, if the upstream-signing-key.pgp is missing, uscan will happily download the tarball without any verification and with return code 0, I think that's not expected? $ uscan --verbose -- Scanning for watchfiles in . -- Found watchfile in ./debian -- In debian/watch, processing watchfile line: opts="pasv,pgpsigurlmangle=s/$/.sig/" http://gnupg.org/download/ .*/gnupg-(1\..*)\.tar\.gz uscan warning: pgpsigurlmangle option exists, but debian/upstream-signing-key.pgp does not exist, ignoring in debian/watch: http://gnupg.org/download/ .*/gnupg-(1\..*)\.tar\.gz -- Found the following matching hrefs: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.16.tar.gz (1.4.16) Newest version on remote site is 1.4.16, local version is 1.4.15 => Newer version available from ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.16.tar.gz -- Downloading updated package gnupg-1.4.16.tar.gz -- Successfully downloaded updated package gnupg-1.4.16.tar.gz and symlinked gnupg_1.4.16.orig.tar.gz to it -- Scan finished $ echo $? 0 Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
