On Mon, Sep 05, 2011 at 09:53:59PM +0200, Lucas Nussbaum wrote: > Package: debsigs > Version: 0.1.17 > Severity: serious > User: debian...@lists.debian.org > Usertags: instest-20110825 instest > > Hi, > > While testing the installation of all packages in sid, I ran > into the following problem: > > > Reading package lists... > > Building dependency tree... > > Reading state information... > > Starting > > Starting 2 > > Done > > The following NEW packages will be installed: > > debsigs > > 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. > > 11 not fully installed or removed. > > Need to get 52.9 kB of archives. > > After this operation, 184 kB of additional disk space will be used. > > Get:1 http://localhost/debian/ sid/main debsigs all 0.1.17 [52.9 kB] > > Fetched 52.9 kB in 0s (969 kB/s) > > Authenticating /var/cache/apt/archives/debsigs_0.1.17_all.deb ... > > debsig: Origin Signature check failed. This deb might not be signed. > > > > dpkg: error processing /var/cache/apt/archives/debsigs_0.1.17_all.deb > > (--unpack): > > Verification on package /var/cache/apt/archives/debsigs_0.1.17_all.deb > > failed! > > configured to not write apport reports > > Errors were encountered while processing: > > /var/cache/apt/archives/debsigs_0.1.17_all.deb > > E: Sub-process /usr/bin/dpkg returned an error code (1) > > The full build log is available from: > http://people.debian.org/~lucas/logs/2011/08/25/debsigs.log > > It is reproducible by installing your package in a clean chroot, using > the debconf Noninteractive frontend, and priority: critical.
The direct reason for this failure is that, for some reason, dpkg decided to do more extensive signature checking than usual - namely, to invoke debsig-verify(1) on the binary package file. Since debsigs is the only package in the archive that may pull in debsig-verify, this is the only time this error would have come up :) And since, well, yes, I failed to sign the debsigs package using itself before uploading it, debsig-verify would indeed claim an error. So, yes, partly my fault, I'll take care to sign at least the debsigs packages in my next uploads :) Thanks for alerting me to this! However... The real question is why dpkg even tried to invoke debsig-verify - isn't the "no-debsig" option present in /etc/dpkg/dpkg.cfg (again) ever since #311843 and dpkg-1.14.17? Or are you running this build with a completely cleaned-up /etc/dpkg/dpkg.cfg, too? In this particular case, this might be a bad idea - if any packages should pull in debsig-verify, this would indeed prevent the further installation of, well, pretty much *all* the packages in the Debian archive, since debsigs does not yet have widespread adoption, to say the least :P (and no, this is NOT a complaint or anything, I know that pushing for debsigs adoption for all packages would be kind of, well, counter-productive and doomed :) Of course, as noted above, the only package likely to pull in debsig-verify is currently debsigs itself, but I still think that doing mass automated builds withOUT no-debsig is not a very good idea. Sure, I'll sign the next debsigs upload, no problem, and thanks for the bug report and for all of your (and the rest of the QA team's) awesome work! G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@freebsd.org pe...@packetscale.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be.
signature.asc
Description: Digital signature
