Hello, On Sun 23 Mar 2025 at 12:27pm GMT, Ian Jackson wrote:
> Package: dgit > Version: 12.9 > > In https://salsa.debian.org/dgit-team/dgit/-/issues/65 we see this > > Successfully signed dsc, buildinfo, changes files > gpg: ../bpd/dgit-test-dummy_1.109_source.changes: Error checking signature > from 606D084E4683C079: SignatureVerifyError: 0 > gpg: ../bpd/dgit-test-dummy_1.109.dsc: Error checking signature from > 606D084E4683C079: SignatureVerifyError: 0 > Checking signature on .changes > Checking signature on .dsc > Uploading to ftp-master (via ftp to ftp.upload.debian.org): > > I think: the two messages from gpg were generated by gpg runs invoked > by dput; the two messages "Checking signature" were also from dput; > the messages are out of order due to stdio buffering. > > I think this verification is useless and dgit should always suppress > it. dgit has *just made* these signatures (via debsign). With > `dgit rpush` the keys might not be available. > > We could do this by passing -u to dput. But the user might have > said --dput=dupload and dupload has no -u option. Fortunately dput-ng does have the -u option. > We could: > > 1. Ask dput for a way to control this with environment variables > 2. Ask dupload to accept and ignore --unchecked (seems weird, and > has troublesome compat implications) > 3. Add -u only if the dput command =~ m/dput/ (but we'd need the > user to be able to override it with --dput!:--unchecked > and that is goign to be fiddly). I think special-casing dupload vs. dput is appropriate. There's not likely to be a new one beyond dput-ng (because dgit is that). -- Sean Whitton
signature.asc
Description: PGP signature
