Control: clone 711744 -1 Control: reassign -1 devscripts Control: retitle -1 uscan should abort if pgpsigmangleurl but no upstream-signing-key.pgp
On Tue 2014-01-07 04:48:58 -0500, Thijs Kinkhorst wrote: > On Sun, December 15, 2013 19:44, Daniel Kahn Gillmor wrote: >> uscan should fail (return non-zero) if pgpsigmangleurl is present and >> anything prevents full validation of the upstream source. > > if the upstream-signing-key.pgp is missing, uscan will happily > download the tarball without any verification and with return code 0, I > think that's not expected? > > $ uscan --verbose > -- Scanning for watchfiles in . > -- Found watchfile in ./debian > -- In debian/watch, processing watchfile line: > opts="pasv,pgpsigurlmangle=s/$/.sig/" > http://gnupg.org/download/.*/gnupg-(1\..*)\.tar\.gz > uscan warning: pgpsigurlmangle option exists, but > debian/upstream-signing-key.pgp does not exist, I agree this is a problem, and uscan should probably fail hard here instead of just warning. --dkg
pgp9bA1CuG9yB.pgp
Description: PGP signature
