On Sun, 12 Jun 2016 11:48:06 +0900 Osamu Aoki <[email protected]> wrote:
> Hi, > > As for quieting lintian for sig-check, let's use the newly available > explicit option opts="pgpmode=none" to the watch file and make lintian > understand this option. (Or lintian override). It's a pedantic tag, so it's not a problem in itself. It's just that I'd like to be able to use the functionality. > But the wishlist bug for uscan should be how to get it right for git > repo signature check. > > On Sat, Jun 11, 2016 at 09:33:37PM +0100, Neil Williams wrote: > > Package: devscripts > > Version: 2.16.5 > > Severity: wishlist > > File: /usr/bin/uscan > > > > uscan supports git tags in the debian/watch file > > Yes via the newly available git mode with the newest uscan supporting > version=4. OK, I'm using version=3 at the moment with: https://git.linaro.org/lava/lava-dispatcher.git/tags /lava/lava-dispatcher.git/log/refs/tags/(.*) I'm migrating to: version=4 opts="mode=git,pgpmode=auto" \ http://git.linaro.org/lava/lava-dispatcher.git \ refs/tags/([\d+.\d+.\d?\.]+) debian uupdate > > uscan seems to lack this support - assuming that a separate .asc or > > .sig file can be downloaded which does not work for a signed git > > tag. > > uscan works in 3 stages: > stage1: check some URL to find if there is newer version > stage2: download and optionally check signature > stage3: use uupdate to make a new template package > > If people only care about stage1 (that is the case for this example > watch file), then sig-check does not work for sure. Lintian assumes > you to use full capability of the uscan from stage1 to stage3. > > I think problem comes if there is no published URL for tarball and no > sig. Or even no URL for tags. Then you use the new git mode. > > Currently, it can create tarball but has not added support for the > signed tag. > > One problem I am worried is the tarballs generated locally itself or > one generated some web interface are not reproducible as I > understand. So sigheck is possible for uncompressed tarball or git > signature. TBH I'm not using the tarball that uscan would create (yet) - issues with setuptools currently - but I am planning to investigate how to drop setuptools. debian/watch is mainly for others to monitor rather than to assist uploads/rebuilds - but then I'm upstream too, so it's not a problem. > I welcome such feature addition. Please send me shell execution > example how that is done manually. Does uscan clone the repository or do everything remotely? I've been unable to find a way to verify the tag remotely. With a cloned repo, (possibly in a throw away tmpfs directory with the --no-checkout option) it's a simple git verify-tag <tag>. $ git clone -n http://git.linaro.org/lava/lava-dispatcher.git $ cd <package> $ git verify-tag 2016.6 gpg: Signature made Mon 06 Jun 2016 08:01:01 BST using RSA key ID 8143B682 gpg: Good signature from "Neil Williams (Debian) <[email protected]>" gpg: aka "Neil Williams <[email protected]>" gpg: aka "Neil Williams (codehelp) <[email protected]>" -- Neil Williams ============= http://www.linux.codehelp.co.uk/
pgp8ng3ZZh67I.pgp
Description: OpenPGP digital signature
_______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
