Bug#870069: orig-tarball-missing-upstream-signature error breaks rebuilding existing packages and more
Chris,
On Fri, Sep 1, 2017 at 1:55 AM, Chris Lamb <lamby@debian.org> wrote:
>
> Hey Stefan and Paul,
>
> > orig-tarball-missing-upstream-signature error breaks rebuilding
> > existing packages
>
> The next version of Lintian will ignore "repacked" tarballs - ones
> that contain "dfsg" in their version.
That certainly sounds reasonable, because the "dfsg" version is no
longer the original version for those cases.
>
> Perhaps we could also ignore "UNRELEASED" in the distribution? Or
> is there something else we could check for in the version...?
Personally, I run pdebuild with a hook for the unstable version of
lintian, and separately run the testing version of lintian, all the
time on an UNRELEASED distribution during development. I only change
UNRELEASED to unstable at the very end to finalize a package for
uploading, after performing all checks. I am probably not the only
one to do that. So I would still let lintian treat an UNRELEASED
distribution as if it were in final form.
As for a straightforward acceptance of GNU Project ".sig" files for
packages as I requested previously in this bug report, later
discussion on the debian-policy mailing list has shown preference for
".asc"-only files, with ".sig" files being converted to ".asc":
https://lists.debian.org/debian-policy/2017/08/msg00201.html
There is no outright ban on binary ".sig" files, but that discussion
is leaning towards ".asc"-only signatures.
Of course, Debian Policy 4.1.0 also just added mention of
debian/upstream/signing-key.asc.
Thank you,
Paul Hardy
Reply to: