Bug#870069: orig-tarball-missing-upstream-signature error breaks rebuilding existing packages and more

[Paul Hardy <unifoundry@gmail.com>]

Chris,

On Fri, Sep 1, 2017 at 1:55 AM, Chris Lamb <lamby@debian.org> wrote:
>
> Hey Stefan and Paul,
>
> > orig-tarball-missing-upstream-signature error breaks rebuilding
> > existing packages
>
> The next version of Lintian will ignore "repacked" tarballs - ones
> that contain "dfsg" in their version.

That certainly sounds reasonable, because the "dfsg" version is no
longer the original version for those cases.
>
> Perhaps we could also ignore "UNRELEASED" in the distribution? Or
> is there something else we could check for in the version...?

Personally, I run pdebuild with a hook for the unstable version of
lintian, and separately run the testing version of lintian, all the
time on an UNRELEASED distribution during development.  I only change
UNRELEASED to unstable at the very end to finalize a package for
uploading, after performing all checks.  I am probably not the only
one to do that.  So I would still let lintian treat an UNRELEASED
distribution as if it were in final form.

As for a straightforward acceptance of GNU Project ".sig" files for
packages as I requested previously in this bug report, later
discussion on the debian-policy mailing list has shown preference for
".asc"-only files, with ".sig" files being converted to ".asc":

https://lists.debian.org/debian-policy/2017/08/msg00201.html

There is no outright ban on binary ".sig" files, but that discussion
is leaning towards ".asc"-only signatures.

Of course, Debian Policy 4.1.0 also just added mention of
debian/upstream/signing-key.asc.

Thank you,


Paul Hardy