Hi, On Sun, Jun 12, 2016 at 10:11:52AM +0100, Neil Williams wrote: > On Sun, 12 Jun 2016 11:48:06 +0900 > Osamu Aoki <[email protected]> wrote: > > > Hi, > > > > As for quieting lintian for sig-check, let's use the newly available > > explicit option opts="pgpmode=none" to the watch file and make lintian > > understand this option. (Or lintian override). > > It's a pedantic tag, so it's not a problem in itself. It's just that > I'd like to be able to use the functionality. > > > But the wishlist bug for uscan should be how to get it right for git > > repo signature check. > > > > On Sat, Jun 11, 2016 at 09:33:37PM +0100, Neil Williams wrote: > > > Package: devscripts > > > Version: 2.16.5 > > > Severity: wishlist > > > File: /usr/bin/uscan > > > > > > uscan supports git tags in the debian/watch file > > > > Yes via the newly available git mode with the newest uscan supporting > > version=4. > > OK, I'm using version=3 at the moment with: > https://git.linaro.org/lava/lava-dispatcher.git/tags > /lava/lava-dispatcher.git/log/refs/tags/(.*)
Undocumented feature: Even for version=3, mode=git is not disabled. > I'm migrating to: > version=4 > opts="mode=git,pgpmode=auto" \ > http://git.linaro.org/lava/lava-dispatcher.git \ > refs/tags/([\d+.\d+.\d?\.]+) debian uupdate Yah, I wish this works like this :-) For now, only pgpmode=none is supported. This git mode is really experimental so I need help from possible user like you. > > > uscan seems to lack this support - assuming that a separate .asc or > > > .sig file can be downloaded which does not work for a signed git > > > tag. > > > > uscan works in 3 stages: > > stage1: check some URL to find if there is newer version > > stage2: download and optionally check signature > > stage3: use uupdate to make a new template package > > > > If people only care about stage1 (that is the case for this example > > watch file), then sig-check does not work for sure. Lintian assumes > > you to use full capability of the uscan from stage1 to stage3. > > > > I think problem comes if there is no published URL for tarball and no > > sig. Or even no URL for tags. Then you use the new git mode. > > > > Currently, it can create tarball but has not added support for the > > signed tag. > > > > One problem I am worried is the tarballs generated locally itself or > > one generated some web interface are not reproducible as I > > understand. So sigheck is possible for uncompressed tarball or git > > signature. > > TBH I'm not using the tarball that uscan would create (yet) - issues > with setuptools currently - but I am planning to investigate how to drop > setuptools. debian/watch is mainly for others to monitor rather than to > assist uploads/rebuilds - but then I'm upstream too, so it's not a > problem. uupdate only copies previous build system. Normally, debian/rules call setuptools to do the job. See how I as upstream iof the package debmake. Its repo is like a native package ree called devel and I autogenerate master and debian branch to make a non-native package. > > I welcome such feature addition. Please send me shell execution > > example how that is done manually. > > Does uscan clone the repository or do everything remotely? I've been > unable to find a way to verify the tag remotely. With a cloned repo, > (possibly in a throw away tmpfs directory with the --no-checkout option) > it's a simple git verify-tag <tag>. It does not clone just to scan tags since many archive sccaning service only use this stage only and wish to be light for them. But for creating tarball, I clone archive to local to use git archive. > $ git clone -n http://git.linaro.org/lava/lava-dispatcher.git > $ cd <package> > $ git verify-tag 2016.6 > gpg: Signature made Mon 06 Jun 2016 08:01:01 BST using RSA key ID > 8143B682 gpg: Good signature from "Neil Williams (Debian) > <[email protected]>" gpg: aka "Neil Williams > <[email protected]>" gpg: aka "Neil Williams > (codehelp) <[email protected]>" OK, all I need is to find way to specify special key location for git veryfy-tag. Thanks. When I find time, I will think about adding this to uscan. (uscan is in perl... sigh.) Osamu _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
