Package: lintian
Version: 2.14.0
Severity: wishlist
Hi!
The mk-origtargz program from devscripts was producing bogus upstream
tarball .asc files. It would be nice if this could be warned, so that
people know this is the case and so that they have sufficient data to
decide whether to fix it right away or wait for the next version bump.
The problems vary in severity though:
- Doubly armored files.
Can be easily detected with the equivalent «grep -q ^LS0tLS1CRUd».
- Bogus Armor Header Lines.
Usage of /ARMORED FILE/ instead of /SIGNATURE/.
- Superfluous Armor Fields.
Presence of /^Version:/ and /^Comment:/.
- There was also the possibility of concatenated repeated signatures.
I'm not sure this has occurred in the Debian archive though, but
uscan when invoked multiple times would produce this. It might be
worth checking anyway, because even if this might not affect the
Debian archive it might affect third party packaging.
Fixing this requires modifying one of the upstream source files, so it
cannot be done w/o bumping the version number. This is the equivalent
of a tarball repack, so something like +ds or similar needs to be added
to the upstream version string to be able to avoid collisions.
I sent a mail about all this to debian-devel some weeks ago:
<https://lists.debian.org/debian-devel/2019/04/msg00459.html>
Thanks,
Guillem
