On Wed, 2015-08-26 at 22:31 -0400, James McCoy wrote: > I think uscan is a bit too overloaded already. A new tool (chkorigsig?) > should probably be split out to handle finding the upstream keyring (or > using a specified one) and an upstream archive and verifying it. That > can be used by uscan and for part of the workflow you're describing > here.
Seems reasonable. > There are a lot of heuristics implied here, which also don't seem to > belong to uscan. The only part that really needs uscan is the "download > orig from upstream" which can be handled as Osamu was describing. I think maybe the heuristics I wrote back then can now be delegated to diffoscope, which was created by the reproducible builds folks. http://diffoscope.org/ > Maybe pulling relevant bits of uscan out into library code would make it > easier to build up what you envision. Ack, new plan: New script called checkorig or similar should: Copy the already-downloaded orig.tar files to a tmp dir (dpkg-dev?) Run uscan to download the current upstream tarball to a temporary directory and do the usual gpg sig check dance during the process. Compare the two directories using diffoscope, tardiff or cmp. -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
