On Thu, May 08, 2014 at 08:10:02PM +0800, Paul Wise wrote: > It would be great if there were an option to verify the current upstream > tarball is the same as the one for the package and that the upstream > cryptographic signatures still match.
I think uscan is a bit too overloaded already. A new tool (chkorigsig?) should probably be split out to handle finding the upstream keyring (or using a specified one) and an upstream archive and verifying it. That can be used by uscan and for part of the workflow you're describing here. > Currently sponsors have to do this > manually, it would be much better if it could be automated. If the hash > of the tarball is different to upstream, uscan could determine if the > tarball was just recompressed, if the tarball itself was recreated or if > the content of the tarball is different and maybe how it is different. There are a lot of heuristics implied here, which also don't seem to belong to uscan. The only part that really needs uscan is the "download orig from upstream" which can be handled as Osamu was describing. Maybe pulling relevant bits of uscan out into library code would make it easier to build up what you envision. Cheers, -- James GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <james...@debian.org>
signature.asc
Description: Digital signature
