Package: devscripts Version: 2.24.9 Severity: normal
Hello, Please consider to make uscan notify user when expired signing keys are used. That sounds like a wish, but bug severity is set to normal. Because I think that noticing expired signing keys is normal. What follows is demonstration of current (mis)behaviour. stappers@paddy:~/kanweg $ debcheckout radvd declared git repository at https://salsa.debian.org/debian/radvd.git git clone https://salsa.debian.org/debian/radvd.git radvd ... Cloning into 'radvd'... remote: Enumerating objects: 1422, done. remote: Total 1422 (delta 0), reused 0 (delta 0), pack-reused 1422 (from 1) Receiving objects: 100% (1422/1422), 795.85 KiB | 823.00 KiB/s, done. Resolving deltas: 100% (941/941), done. stappers@paddy:~/kanweg $ cd radvd/ stappers@paddy:~/kanweg/radvd $ uscan Attempt to call undefined import method with arguments (":util") via package "Dpkg::Changelog" (Perhaps you forgot to load the package?) at /usr/share/perl5/Dpkg/Changelog/Debian.pm line 52. Newest version of radvd on remote site is 2.20, local version is 2.19 => Newer package available from: => https://github.com/radvd-project/radvd/releases/download/v2.20/radvd-2.20.tar.xz gpgv: Signature made Tue Dec 31 07:19:47 2024 CET gpgv: using RSA key BDEBB6A52F156FDF3168D91119395F23C58826C4 gpgv: Good signature from "Robin Hugh Johnson <robin.john...@bc.libraries.coop>" Leaving ../radvd_2.20.orig.tar.xz where it is. stappers@paddy:~/kanweg/radvd $ rm ../radvd_2.20.orig.tar.xz stappers@paddy:~/kanweg/radvd $ uscan -vv uscan info: uscan (version 2.24.9) See uscan(1) for help uscan info: Scan watch files in . uscan debug: Found ./debian uscan info: Check debian/watch and debian/changelog in . Attempt to call undefined import method with arguments (":util") via package "Dpkg::Changelog" (Perhaps you forgot to load the package?) at /usr/share/perl5/Dpkg/Changelog/Debian.pm line 52. uscan info: package="radvd" version="1:2.19-1" (as seen in debian/changelog) uscan info: package="radvd" version="2.19" (no epoch/revision) uscan info: ./debian/changelog sets package="radvd" version="2.19" uscan info: Found upstream signing keyring: debian/upstream/signing-key.asc uscan info: Process watch file at: debian/watch package = radvd version = 2.19 pkg_dir = . uscan debug: parse line opts="compression=xz, pgpsigurlmangle=s/$/.asc/, dversionmangle=s/\+(?:git)?[0-9]*(?:\+g[0-9a-f]*)//, downloadurlmangle=s#/tag/#/download/#;s#(v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*)))0/radvd-.tar.xz#, filenamemangle=s#v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*))#radvd-.tar.xz#" https://github.com/radvd-project/radvd/tags .*/releases/tag/v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*)) uscan info: opts: compression=xz, pgpsigurlmangle=s/$/.asc/, dversionmangle=s/\+(?:git)?[0-9]*(?:\+g[0-9a-f]*)//, downloadurlmangle=s#/tag/#/download/#;s#(v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*)))0/radvd-.tar.xz#, filenamemangle=s#v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*))#radvd-.tar.xz# uscan info: line: https://github.com/radvd-project/radvd/tags .*/releases/tag/v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*)) uscan info: Parsing compression=xz uscan info: Parsing pgpsigurlmangle=s/$/.asc/ uscan info: Parsing dversionmangle=s/\+(?:git)?[0-9]*(?:\+g[0-9a-f]*)// uscan info: Parsing downloadurlmangle=s#/tag/#/download/#;s#(v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*)))0/radvd-.tar.xz# uscan info: Parsing filenamemangle=s#v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*))#radvd-.tar.xz# uscan info: line: https://github.com/radvd-project/radvd/tags .*/releases/tag/v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*)) uscan debug: ->{'pgpmode'}=mangle, ->{'pgpsigurlmangle'}=s/$/.asc/ uscan info: Last orig.tar.* tarball version (from debian/changelog): 2.19 uscan debug: safe_replace input="2.19" uscan debug: safe_replace with regexp="\+(?:git)?[0-9]*(?:\+g[0-9a-f]*)", replacement="", and flags="" uscan debug: After dversionmangle: 2.19 uscan info: Last orig.tar.* tarball version (dversionmangled): 2.19 uscan debug: watch file has: = https://github.com/radvd-project/radvd/tags = .*/releases/tag/v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*)) = 2.19 = mode = http pgpmode = mangle versionmode = newer = https://github.com = /radvd-project/radvd/ uscan debug: line: search() uscan info: Requesting URL: https://github.com/radvd-project/radvd/tags uscan info: Matching pattern: (?:(?:https://github.com)?\/radvd\-project\/radvd\/)?.*/releases/tag/v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*)) uscan debug: Resolving urls with query part unimplemented uscan info: Found the following matching hrefs on the web page (newest first): https://github.com/radvd-project/radvd/releases/tag/v2.20 (2.20) index=2.20-0 https://github.com/radvd-project/radvd/releases/tag/v2.20 (2.20) index=2.20-0 https://github.com/radvd-project/radvd/releases/tag/v2.20 (2.20) index=2.20-0 https://github.com/radvd-project/radvd/releases/tag/v2.20 (2.20) index=2.20-0 .... 31 lines deleted .... https://github.com/radvd-project/radvd/releases/tag/v2.16 (2.16) index=2.16-0 https://github.com/radvd-project/radvd/releases/tag/v2.16 (2.16) index=2.16-0 https://github.com/radvd-project/radvd/releases/tag/v2.16 (2.16) index=2.16-0 uscan info: Looking at = https://github.com/radvd-project/radvd/tags with = .*/releases/tag/v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*)) found = https://github.com/radvd-project/radvd/releases/tag/v2.20 = 2.20 = 2.19 uscan debug: line: get_upstream_url() uscan info: Matching target for downloadurlmangle: https://github.com/radvd-project/radvd/releases/tag/v2.20 uscan debug: safe_replace input="https://github.com/radvd-project/radvd/releases/tag/v2.20"; uscan debug: safe_replace with regexp="/tag/", replacement="/download/", and flags="" uscan debug: After downloadurlmangle: https://github.com/radvd-project/radvd/releases/download/v2.20 uscan debug: safe_replace input="https://github.com/radvd-project/radvd/releases/download/v2.20"; uscan debug: safe_replace with regexp="(v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*)))$", replacement="/radvd-.tar.xz", and flags="" uscan debug: After downloadurlmangle: https://github.com/radvd-project/radvd/releases/download/v2.20/radvd-2.20.tar.xz uscan info: Upstream URL(+tag) to download is identified as https://github.com/radvd-project/radvd/releases/download/v2.20/radvd-2.20.tar.xz uscan debug: line: get_newfile_base() uscan info: Matching target for filenamemangle: https://github.com/radvd-project/radvd/releases/tag/v2.20 uscan debug: safe_replace input="https://github.com/radvd-project/radvd/releases/tag/v2.20"; uscan debug: safe_replace with regexp="v?(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*))", replacement="radvd-.tar.xz", and flags="" uscan debug: After filenamemangle: https://github.com/radvd-project/radvd/releases/tag/radvd-2.20.tar.xz uscan info: Filename (filenamemangled) for downloaded file: radvd-2.20.tar.xz uscan debug: line: cmp_versions() Newest version of radvd on remote site is 2.20, local version is 2.19 => Newer package available from: => https://github.com/radvd-project/radvd/releases/download/v2.20/radvd-2.20.tar.xz uscan debug: line: download_file_and_sig() uscan info: Not downloading, using existing file: radvd-2.20.tar.xz uscan debug: safe_replace input="https://github.com/radvd-project/radvd/releases/download/v2.20/radvd-2.20.tar.xz"; uscan debug: safe_replace with regexp="$", replacement=".asc", and flags="" uscan debug: After pgpsigurlmangle: https://github.com/radvd-project/radvd/releases/download/v2.20/radvd-2.20.tar.xz.asc uscan debug: Add asc suffix based on https://github.com/radvd-project/radvd/releases/download/v2.20/radvd-2.20.tar.xz.asc. uscan info: Downloading OpenPGP signature from: https://github.com/radvd-project/radvd/releases/download/v2.20/radvd-2.20.tar.xz.asc (pgpsigurlmangled) as radvd-2.20.tar.xz.asc uscan info: Requesting URL: https://github.com/radvd-project/radvd/releases/download/v2.20/radvd-2.20.tar.xz.asc uscan info: Verifying OpenPGP signature ../radvd-2.20.tar.xz.asc for ../radvd-2.20.tar.xz uscan debug: Execute: gpgv --homedir /dev/null --keyring /tmp/cRwGYkcyzd/upstream-signing-key.pgp ../radvd-2.20.tar.xz.asc ../radvd-2.20.tar.xz... gpgv: Signature made Tue Dec 31 07:19:47 2024 CET gpgv: using RSA key BDEBB6A52F156FDF3168D91119395F23C58826C4 gpgv: Good signature from "Robin Hugh Johnson <robin.john...@bc.libraries.coop>" uscan info: New orig.tar.* tarball version (oversionmangled): 2.20 uscan debug: line: mkorigtargz() uscan info: Launch mk-origtargz with options: --package radvd --version 2.20 --signature 1 --signature-file ../radvd-2.20.tar.xz.asc --compression xz --directory .. --copyright-file debian/copyright ../radvd-2.20.tar.xz Successfully symlinked ../radvd-2.20.tar.xz to ../radvd_2.20.orig.tar.xz. uscan info: New orig.tar.* tarball version (after mk-origtargz): 2.20 uscan info: Scan finished stappers@paddy:~/kanweg/radvd $ mkdir manual_verify stappers@paddy:~/kanweg/radvd $ cd manual_verify/ stappers@paddy:~/kanweg/radvd/manual_verify $ wget --quiet https://github.com/radvd-project/radvd/releases/download/v2.20/radvd-2.20.tar.xz stappers@paddy:~/kanweg/radvd/manual_verify $ wget --quiet https://github.com/radvd-project/radvd/releases/download/v2.20/radvd-2.20.tar.xz.asc stappers@paddy:~/kanweg/radvd/manual_verify $ gpg --verify radvd-2.20.tar.xz.asc gpg: assuming signed data in 'radvd-2.20.tar.xz' gpg: Signature made Tue Dec 31 07:19:47 2024 CET gpg: using RSA key BDEBB6A52F156FDF3168D91119395F23C58826C4 gpg: Good signature from "Robin Hugh Johnson <robin.john...@bc.libraries.coop>" [expired] gpg: Note: This key has expired! Primary key fingerprint: 7D0B 3CEB E9B8 5B1F 825B CECF EE05 E6F6 A48F 6136 Subkey fingerprint: BDEB B6A5 2F15 6FDF 3168 D911 1939 5F23 C588 26C4 stappers@paddy:~/kanweg/radvd/manual_verify $ Groeten Geert Stappers -- Silence is hard to parse
