Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic

To: Raphael Hertzog <hertzog@debian.org>, 982562@bugs.debian.org
Cc: Peter Pentchev <roam@ringlet.net>, Guillem Jover <guillem@debian.org>, Mattia Rizzolo <mattia@debian.org>
Subject: Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
From: gregor herrmann <gregoa@debian.org>
Date: Fri, 12 Feb 2021 18:42:21 +0100
Message-id: <YCa9/bJYoqMVsBzB@jadzia.comodo.priv.at>
Reply-to: gregor herrmann <gregoa@debian.org>, 982562@bugs.debian.org
In-reply-to: <[🔎] YCaTheBVdjCsOGsV@t14-buxy.home.ouaza.com>
References: <[🔎] 161307718203.476263.12686697476231512126.reportbug@t14-buxy.home.ouaza.com> <[🔎] YCY1UA4yplEWbPXk@t14-buxy.home.ouaza.com> <[🔎] YCZJWcZlW9JbrzmG@straylight.m.ringlet.net> <[🔎] 161307718203.476263.12686697476231512126.reportbug@t14-buxy.home.ouaza.com> <[🔎] YCaTheBVdjCsOGsV@t14-buxy.home.ouaza.com> <[🔎] 161307718203.476263.12686697476231512126.reportbug@t14-buxy.home.ouaza.com>

On Fri, 12 Feb 2021 15:41:09 +0100, Raphael Hertzog wrote:

> On Fri, 12 Feb 2021, Peter Pentchev wrote:
> > > Yeah, it would go a long way if pristine-tar would store the associated
> > > signature and restore it as well. It's easy to forget to include it
> > > when the uploads are not done by the same person.
> > 
> > It can, since version 1.41:
> > 
> >     debcheckout confget
> >     cd confget
> >     git checkout pristine-tar
> >     git checkout master
> >     git checkout debian/master
> >     pristine-tar checkout -s ../confget_2.3.4.orig.tar.xz.asc ../confget_2.3.4.orig.tar.xz
> 
> Well, then I assume that the git-buildpackage integration doesn't do
> this automatically. Honestly, you should not have to specify that you
> want to check out the associated signature at the same time or maybe with
> a generic option --include-associated-files that would not fail if
> there's no associated file.

From the changelog and the manpage of gbp-buildpackage, there's

       --git-upstream-signatures=[auto|on|off]
              Whether to export the upstream tarball with signatures.

which defaults to 'auto' … and after checking out pristine-tar it
does what it says on the tin:

gbp:info: Tarballs 'confget_2.3.4.orig.tar.xz' not found at '../tarballs/'
gbp:info: Creating /home/gregoa/tmp/build-area/confget_2.3.4.orig.tar.xz
[no message about the *.asc here]
…
[but it's there:]
dpkg-source: info: building confget using existing ./confget_2.3.4.orig.tar.xz
dpkg-source: info: building confget using existing ./confget_2.3.4.orig.tar.xz.asc

and also in the output directory:

% ll ../build-area/*orig*
-rw-rw-r-- 1 gregoa gregoa 34724 Feb 12 18:36 ../build-area/confget_2.3.4.orig.tar.xz
-rw-rw-r-- 1 gregoa gregoa   833 Feb 12 18:36 ../build-area/confget_2.3.4.orig.tar.xz.asc


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: Neil Young: My My, Hey Hey

Attachment: signature.asc
Description: Digital Signature

Reply to:

References:
- Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
  - From: Raphaël Hertzog <hertzog@debian.org>
- Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
  - From: Raphael Hertzog <hertzog@debian.org>
- Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
  - From: Peter Pentchev <roam@ringlet.net>
- Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
Next by Date: Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
Previous by thread: Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
Next by thread: Bug#982562: general: Storing upstream signatures next to upstream tarballs is problematic
Index(es):
- Date
- Thread