[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic

Control: block -1 by 876643

Hi,

thanks for your quick answer!

On Fri, 12 Feb 2021, Guillem Jover wrote:
> > If we assume that the archive is meant to store immutable content
> > under a given filename (and to me that requirement seems to be a good
> > idea), then we should question ourselves whether we really want to store
> > those signatures in a filename that's associated to the upstream version.
> > They should either be tied to the Debian revision (so that they can change
> > over time without any new upstream release) or be incorporated in the
> > Debian tarball.
> 
> The upstream signatures are important to determine the provenance of
> the source at the time of packaging, just like the signatures on .dsc,
> both lose relevance once they hit an archive.

I agree with this. Why do we want to upload them and store them forever
then?

> This seems mostly a tooling problem TBH.

Yeah, it would go a long way if pristine-tar would store the associated
signature and restore it as well. It's easy to forget to include it
when the uploads are not done by the same person.

Because I already saw the warning saying that I lack the signature file
(based on the idea that if we have the uptsream key we want to upload the
signature, but I don't buy this, I believe it's a help for the maintainer
to verify the tarball it downloads during uscan but I don't see the point
to upload it for eternity) and I saw it as a nuisance more than a help...
I would usually not check if there really was a signature file before or
not.

On Fri, 12 Feb 2021, Guillem Jover wrote:
> > This usually appears in the way of people uploading a package with the same
> > name and version of something that was removed long long ago and since then
> > archived and forgotten by dak.
> 
> Ah, sorry, right, that dak forgetfulness problem which seems
> contagious. :)
>
> Ok, so then these seems like two bugs in dak. dak sees the .asc, then
> they disappear and it forgets them, and then files with different
> content can then be uploaded.

FTR this is this bug that has been ignored for years and that also
affected Kali more than once:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876643

Kali would be happy to sponsor anyone who can tackle this bug in dak...

> While ideally dak would never forget, the problem here is that dak
> allows uploads that drop the .asc files, no?

Possibly... but then it means that you need to treat signature file
differently from any other extra file that you want to attach to the .dsc.
Because for extra .orig tarballs, we want the current behaviour where you
can add and drop them freely between Debian revisions.

So I'm not sure it's worth the extra logic.

Cheers,
-- 
  ⢀⣴⠾⠻⢶⣦⠀   Raphaël Hertzog <hertzog@debian.org>
  ⣾⠁⢠⠒⠀⣿⡁
  ⢿⡄⠘⠷⠚⠋    The Debian Handbook: https://debian-handbook.info/get/
  ⠈⠳⣄⠀⠀⠀⠀   Debian Long Term Support: https://deb.li/LTS
Reply to: