Package: devscripts Version: 2.18.2 Severity: minor When I build a package for uploading into Debian (i.e. no --binary-arch) a .buildinfo file gets generated which contains the checksum of the .dsc file, which at that time is unsigned.
When I later debsign, the .dsc file is signed alongside with the .changes file; however, the .buildinfo file contains the hashes of the .dsc file. (I could omit the .buildinfo file or regenerate it, but since .changes also includes .buildinfo signature this becomes annoying really fast.) Please just check the .dsc checksum in a .buildinfo file, during verifi‐ cation of the latter, also against the .dsc file contents with the sig‐ nature stripped *IFF* the .dsc file itself is signed *and* passes signa‐ ture checking. Thanks! -- Package-specific info: --- /etc/devscripts.conf --- --- ~/.devscripts --- DEBCHANGE_AUTO_NMU=no DEBCHANGE_MAINTTRAILER=no DEBCHANGE_MULTIMAINT_MERGE=yes DEBCHANGE_RELEASE_HEURISTIC=log -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages devscripts depends on: ii dpkg-dev 1.19.0.5 ii libc6 2.27-3 ii libfile-homedir-perl 1.002-1 ii perl 5.26.2-3 ii python3 3.6.5-3 ii sensible-utils 0.0.12 Versions of packages devscripts recommends: ii apt 1.6.1 ii at 3.1.20-5 ii curl 7.58.0-2 ii dctrl-tools 2.24-2+b1 ii debian-keyring 2018.03.24 ii dput 1.0.2 ii equivs 2.1.0 ii fakeroot 1.22-2 ii file 1:5.33-2 ii gnupg 2.2.5-1 ii gnupg2 2.2.5-1 pn libdistro-info-perl <none> ii libdpkg-perl 1.19.0.5 ii libencode-locale-perl 1.05-1 pn libgit-wrapper-perl <none> pn liblist-compare-perl <none> ii liblwp-protocol-https-perl 6.07-2 pn libsoap-lite-perl <none> pn libstring-shellquote-perl <none> ii liburi-perl 1.74-1 ii libwww-perl 6.33-1 pn licensecheck <none> ii lintian 2.5.86 ii man-db 2.8.3-2 ii patch 2.7.6-2 ii patchutils 0.3.4-2 ii python3-apt 1.6.0 ii python3-debian 0.1.32 ii python3-magic 2:0.4.15-1 ii python3-requests 2.18.4-2 pn python3-unidiff <none> pn python3-xdg <none> ii strace 4.21-1 ii unzip 6.0-21 ii wdiff 1.2.2-2+b1 ii wget 1.19.5-1 ii xz-utils 5.2.2-1.3 Versions of packages devscripts suggests: ii adequate 0.15.1 pn autopkgtest <none> pn bls-standalone <none> ii bsd-mailx [mailx] 8.1.2-0.20160123cvs-4 ii build-essential 12.5 pn check-all-the-things <none> pn cvs-buildpackage <none> pn devscripts-el <none> ii diffoscope 94 pn disorderfs <none> pn dose-extra <none> pn duck <none> pn faketime <none> pn gnuplot <none> ii gpgv 2.2.5-1 pn how-can-i-help <none> pn libauthen-sasl-perl <none> pn libfile-desktopentry-perl <none> pn libnet-smtps-perl <none> pn libterm-size-perl <none> ii libtimedate-perl 2.3000-2 ii libyaml-syck-perl 1.30-1 pn mozilla-devscripts <none> pn mutt <none> ii openssh-client [ssh-client] 1:7.7p1-2 pn piuparts <none> ii postgresql-client-10 [postgresql-client] 10.4-2 ii quilt 0.63-8.2 pn ratt <none> pn reprotest <none> pn svn-buildpackage <none> ii w3m 0.5.3-36+b1 -- no debconf information
