Re: debian/upstream/signing-key.asc in policy 4.1.0
On Sun, Aug 27, 2017 at 08:51:49PM -0300, Henrique de Moraes Holschuh wrote:
> On Wed, 23 Aug 2017, Russ Allbery wrote:
> > Note that this Policy language is carefully written to make it perfectly
> > fine for uscan to support all the things it currently supports, since it
> > only talks about what Policy recommends the maintainer does. So don't
> > feel any obligation to change what uscan is doing on Policy's account
> > here.
> Actually, the text in 22.214.171.124 might be doing too much. It reads:
> "If the upstream maintainer of the software provides OpenPGP signatures
> for new releases, including the information required for "uscan" to
> verify signatures for new upstream releases is also recommended. To do
> this, use the "pgpsigurlmangle" option in "debian/watch" to specify
> the location of the upstream signature, and include the key or keys
> used to sign upstream releases in the Debian source package as
> IMO, it should either not be mandating uscan internals, or it should be
In principle, you comment is a very reasonable one.
> very clear about the exact subset of stuff we can use in debian/watch
> (version, etc). For example, I'd rather use opt="..., pgpmode=auto,..."
> instead of explicitly hardcoding a "pgpsigurlmangle".
The new pgpmode=auto and pgpmode=previous have bugs and fail to function
smoothly --- #873289 #852537 Excuse me for these bugs. The fixes have
been committed to git. I am hoping the next upload of devscripts (and
its backport) will fix them. So "pgpsigurlmangle" is the only good way
at this moment.
> IMHO, just drop everything from "To do this..." to the end of that
> paragraph entirely. HOW one gets "uscan" to fetch and check upstream
> signatures is a job for the uscan(1) manpage. Alternatively, just
> mention "debian/watch", and to refer to the uscan documentation in
> package "devscripts".
Once pgpmode=auto becomes noise free, this should be the preferred
choice. It will be nice to address #833012, too, using s/\?/.asc?/ etc.
to make it really default one.
So for now, the policy text is better for me.
> OTOH, if we really need to mandate a specific level of debian/watch
> support, the current text in policy needs work: it doesn't even tell me
> whether I can use version=3 (supported in oldstable), or version=4
> (supported in oldstable-backports and stable), for example...
The uscan version=3/version=4 difference is not much about enhanced
mangling rules. It's about how uupdate is invoked and how uupdate
creates the updated source tree. version=4 uses dpkg-source as back-end
and capable of generating multi-upstream tarball.
If you use new uscan, even with a watch file marked as version=3, it has
access to the enhanced mangling rules.