Hi, As for quieting lintian for sig-check, let's use the newly available explicit option opts="pgpmode=none" to the watch file and make lintian understand this option. (Or lintian override).
But the wishlist bug for uscan should be how to get it right for git repo signature check. On Sat, Jun 11, 2016 at 09:33:37PM +0100, Neil Williams wrote: > Package: devscripts > Version: 2.16.5 > Severity: wishlist > File: /usr/bin/uscan > > uscan supports git tags in the debian/watch file Yes via the newly available git mode with the newest uscan supporting version=4. But most version=3 watch files rely on some web page URL publishing git tags and don't interact directly with git. > but lintian picks up that the signatures could be checked. I see. Annoying I agree. > uscan seems to lack this support - assuming that a separate .asc or > .sig file can be downloaded which does not work for a signed git tag. If separate URL can be automatically generated by a rule, we are supporting to download a separate .asc or sig file for signature check. Also URL to download tarball needs to be automatically generated by a rule. Then we can automate downloading tarball and checking signature in the old way. > https://lintian.debian.org/tags/debian-watch-may-check-gpg-signature.html Yes. > https://sources.debian.net/src/lava-dispatcher/2016.6-2/debian/watch/ This example is in the old version=3 style tracking. I don't think this downloads tarball nor signature. uscan works in 3 stages: stage1: check some URL to find if there is newer version stage2: download and optionally check signature stage3: use uupdate to make a new template package If people only care about stage1 (that is the case for this example watch file), then sig-check does not work for sure. Lintian assumes you to use full capability of the uscan from stage1 to stage3. I think problem comes if there is no published URL for tarball and no sig. Or even no URL for tags. Then you use the new git mode. Currently, it can create tarball but has not added support for the signed tag. One problem I am worried is the tarballs generated locally itself or one generated some web interface are not reproducible as I understand. So sigheck is possible for uncompressed tarball or git signature. I welcome such feature addition. Please send me shell execution example how that is done manually. Regards, Osamu _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
