Bug#856128: debian-watch-may-check-gpg-signature: false positives
2017-02-26 12:07 GMT+02:00 Mattia Rizzolo <mattia@debian.org>:
> Control: tag -1 moreinfo
>
> On Sat, Feb 25, 2017 at 01:04:54PM +0000, Martin-Éric Racine wrote:
>> It appears that debian-watch-may-check-gpg-signature generates false positives.
>>
>> On src:cups-pdf Lintian reports debian-watch-may-check-gpg-signature
>> yet upstream does not publish any GPG signature. However, upstream
>> does publish foo.tar.gz.md5 checksums.
>
> lintian has no knowledge, nor has any way to know that a given upstream
> publish gpg signatures…
On what basis does it report the error then?
> the problem is that your watch file does not check for a gpg signature,
> exactly as the tag says. And as the tag description says:
It does not check for it because upstream does not provide any.
> N: If upstream distributions provide such signatures, please use the
> N: pgpsigurlmangle options in this watch file's opts= to generate the URL
> N: of an upstream GPG signature. This signature is automatically
> N: downloaded and verified against a keyring stored in
> N: debian/upstream/signing-key.asc.
>
>
> (instead of pgpsigurlmangle you can use pgpmode=auto if uscan is clever
> enough for this case)
>
>
> does this solve your issue?
No, it does not. Adding a pgpurlmangle option won't magically make
upstream produce GPG signatures.
Martin-Éric
Reply to: