Control: tags 920763 - moreinfo
Hi Chris--
On Tue 2019-01-29 09:29:50 +0100, Chris Lamb wrote:
> Probably a silly question for this time in the morning but what is
> stopping you extracting the associated signature and calling it
> $origname.asc?
the signature matches the git commit, but not the tarball. If we have a
$origname.asc i think it's expected to be verifiable via:
gpgv $origname.asc $origname
but that would pretty clearly fail.
> (If this is not possible/sensible/whatever, if Lintian essentially
> grepped debian/watch, would that be good enough?)
Ideally, lintian would verify that there exists a signed tag in the git
repo found at Vcs-Git: (from d/control), which matches the name of
upstream-tag (from d/gbp.conf), and whose contents corresponds to the
expected contents of the orig.tar.gz (presumably with a standardized
prefix). One approach would be to:
* identify the tag by its expected name
* cryptogrpahically verify it
* extract the expected archive from the git repo via sth. like
git archive --format=tar --prefix=$pkgname-$origversion/
piped through the expected buildpackage.compression value (from d/gbp.conf)
* compare it bytewise with $origname
I suspect that will work in most cases, though i don't know whether git
has explicitly committed to a stable output for git archive
--format=tar.
If going that far is too fancy for lintian for now, then a simple grep
of d/watch would do for starters, and we could just convert this bug
report to a suggestion for future lintian enhancement.
Regards,
--dkg
