[lintian] 01/01: checks/watch-file.{desc.pm}: Check for packages where an upstream signature exists but is not being used. (Closes: #885621)
This is an automated email from the git hooks/post-receive script.
lamby pushed a commit to branch master
in repository lintian.
commit 54b3927394ccb0c2191f2198d44f0c5005a02fff
Author: Felix Lechner <felix.lechner@lease-up.com>
Date: Thu Dec 28 08:08:12 2017 -0800
checks/watch-file.{desc.pm}: Check for packages where an upstream signature exists but is not being used. (Closes: #885621)
Signed-off-by: Chris Lamb <lamby@debian.org>
---
checks/watch-file.desc | 8 ++++
checks/watch-file.pm | 27 +++++++----
debian/changelog | 4 ++
.../debian/debian/upstream/signing-key.asc | 52 ++++++++++++++++++++++
t/tests/watch-file-general/desc | 1 +
t/tests/watch-file-general/tags | 1 +
6 files changed, 84 insertions(+), 9 deletions(-)
diff --git a/checks/watch-file.desc b/checks/watch-file.desc
index af430dc..b9bd3a2 100644
--- a/checks/watch-file.desc
+++ b/checks/watch-file.desc
@@ -181,6 +181,14 @@ Info: This watch file verifies a cryptographic signature but
debian/upstream/signing-key.asc or
debian/upstream/signing-key.pgp.
+Tag: debian-watch-could-verify-download
+Severity: normal
+Certainty: certain
+Ref: uscan(1)
+Info: One or more upstream signing keys are present but are not being
+ used. Please enable the cryptographic verification of downloads with
+ the option 'pgpsigurlmangle' in your watch file or get rid of the key.
+
Tag: debian-watch-contains-dh_make-template
Severity: wishlist
Certainty: certain
diff --git a/checks/watch-file.pm b/checks/watch-file.pm
index 3f07ea7..dae94b1 100644
--- a/checks/watch-file.pm
+++ b/checks/watch-file.pm
@@ -185,19 +185,28 @@ sub run {
tag 'debian-watch-contains-dh_make-template' if ($template);
tag 'debian-watch-may-check-gpg-signature' unless ($withgpgverification);
- if ($withgpgverification) {
- my $found = 0;
- for my $key_name ($SIGNING_KEY_FILENAMES->all) {
- my $path = $info->index_resolved_path("debian/$key_name");
- if ($path and $path->is_file) {
- $found = 1;
- last;
- }
+ # Look for upstream signing key
+ my $key_found = 0;
+ for my $key_name ($SIGNING_KEY_FILENAMES->all) {
+ my $path = $info->index_resolved_path("debian/$key_name");
+ if ($path and $path->is_file) {
+ $key_found = 1;
+ last;
}
- if (not $found) {
+ }
+
+ # Check upstream key is present if needed
+ if ($withgpgverification) {
+ if (not $key_found) {
tag 'debian-watch-file-pubkey-file-is-missing';
}
}
+ # Check upstream key is used if present
+ else {
+ if ($key_found) {
+ tag 'debian-watch-could-verify-download';
+ }
+ }
my $changes = $info->changelog;
if (defined $changes and %dversions) {
diff --git a/debian/changelog b/debian/changelog
index d5c38a1..0f0e096 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,10 @@ lintian (2.5.67) UNRELEASED; urgency=medium
* checks/changelog-file.{desc,pm}:
+ [CL] Warn about changelog entries that have incorrectly formatted
dates. (Closes: #793406)
+ * checks/watch-file.{desc,pm}:
+ + [CL] Apply patch from Felix Lechner <felix.lechner@lease-up.com> to
+ check for packages where an upstream signature exists but is not
+ being used. (Closes: #885621)
* data/standards-version/release-dates:
+ [CL] Correct date(1) invocation example in comment.
diff --git a/t/tests/watch-file-general/debian/debian/upstream/signing-key.asc b/t/tests/watch-file-general/debian/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..d83f52c
--- /dev/null
+++ b/t/tests/watch-file-general/debian/debian/upstream/signing-key.asc
@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFpEMFgBEADNYEVhITIZ/rVECuLWxDJUk4rV+v6IfJCxJzuXRfqbjkdLNsCD
+P83FOdvcxNQSrWPdSCgV1tDeDc18pNmfWDnu90zrLRipR1u7ln/ajTpx0RI7tHaO
+SCIJfo42iw7firz9IoegqZaH8LKCh63EaXxLD98MgRA9fcBTEaBSD+Wxh8yYL/5b
+bjdUu2FNNEi8f0POBAB3XInu80mqkEeVYPijd2T8Tc5xaxD90OBuuNGSiqKrJ+lB
+9TSxwr5E/9N+6fnCjrR4FVkZtyTELAdZm4CpQN26tinVolG1gDpMz5B27471oXPY
+9K92/UzTRllwuZ09pdBwpd4gu9mTXMLwOJ/S/+LJeSfCmby7QZiM/61NpS5EyaYg
+h+m8YyTUtulFqpWd2HxttXz0ii5C01LKUrNPqlQrxmfrACJ1tHvcngVQm4wyqMHq
+Uw5LYJ8FM7eS3JPeHpHqFGpY1VKx3nZAZGx+1As1ClvT7Og1KyuVY59w8qNaeJ8C
+eA9XrwGVbMm9PiTP+fyBykMaYpf5aGucH+GeBtkvmpyOyXqf7zrOqyRvY0QaMgt1
+n3jXcD7AZKHCp0wY6LYVa/sKqrDJtxoloBA6kV2Ui3kClOWmlfvm+i1Ecg7vCG8d
+QrJtZxo1Wu54dIr+g0qMFjlBA69OFYRXPzoaWFW1BKtNAYFoej9vW/f+0wARAQAB
+tDtMaW50aWFuIFRlc3QgVXBzdHJlYW0gS2V5IChXb3JraW5nLCBObyBFeHBpcmF0
+aW9uLCBNaW5pbWFsKYkCTgQTAQoAOBYhBPr6VG+KNaSTu27AqFtc4nOV5lb+BQJa
+RDBYAhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAAAoJEFtc4nOV5lb+B3kQAMMm
+umaOq12REmLdKWMN7GOsxzV6fTF5xBjTgKfY9DCBeNV7tSuJGpGT9MaxRD5Yu/1p
+PDMGC9TkDxOEULBucmp7M//3FCuSnGQFBcObHNXY9FmLQ5MZJ32QUi8KLNIcDjuF
+AKMEYJ5AT50pBsGyLVGXL27HWndNV7jMeIX64gIN5chPKMHqCn0g/wTTaPY/kkEs
+MYirGmBQ83cIAv/1nywtIPeBnj+02Vu3B1hJIZYgmDQZwjZdd7HTxsVW0LAZEXs5
+gtWArfHO3zNKy6WkVE+xhNgZuVO3EyV46JW0bQ2RC7yY70/qFxX71co6p2+VaZgf
+198QtRddq9cKaSe68BnZesIp9YnT3xJVYeL6IrrMYNIZxlslL4/b+gKU3epHyFes
+tQP1tqkhnmC+Bxds6kx0ngPVfTfWM4Ruaeot51BuenZu82S1B3FB5B0qruCNyKre
+nl53nPaNkOERPOF654AXoIODTgnyaocCaQTPztOYm52X8u9qogf9wf1eEA9EZIBI
+WSbn3eCohN6qWvsdC0MMRDu0HB4S1QUyyOceNflXePg6SPvJSPHuOG/5DShcN6ah
+mgVMH44ecAWsh/8Uj1+Z39Ea07nfE3lCU/WR+DXJb56WaQChXN7AKITrNRd/Q61X
+jqrB6jWRSeVBKDidsFwI7oALdSgONE/ZEy+M4j76uQINBFpEMFgBEADCWJECQ6K1
+HgH7OwX7eY8ggEdCOYI/cTGx9rfzdqx67tc7fsF63BrO+nTHylcwXi9IAs695zvp
+miCnCu1EUVjfM+nD52kocVEhzFc/lcCq6d9ac7H9ItJgf3Qc2HpwcqvsNUTWPDMU
+VjQ8ciZ57qq601kIjVPuHjKRY96K9iHxUeVGh2n74JLYZL5IKO08WtQgPmPVLFDX
+X2iZXnZdW/X4xTYB+/+V/D1LyUIP3X7CzBNzJuYjP3vGDH3h4ulLWnDSmxKs6Aep
+a0sKu6+YD14/xXOi+buc0m6ghP7WePl9gYi6XePLdVPeLC9aiDi1tCWEVbbsinhw
+ODxLwndXCGUc+AVySdUrUMuRchNRI6Z5PW/a/RsuVmyORg1RSuFGLeJQZj1pAw6x
+WjxgioqoqydECIx4gCwGO/0GNZCfe5n11vuMEZ7SKbnrf5d58EQXOgV+yZumRKkz
+OmdKICjql6w5CealrvP/si2kfD3oVwqBeuM0aM8HmWTfrdESWrd8xqAxBlcDsIun
+mpsJ6obGN2mOaMFmOljukdzDFgMJMIrcS4UcGNzyQWUbz6JOSfPq96RkrTVsXMKy
+40Ygtwe63PS9lXGT2ojmiV193UrGJqEUjuAL79KXWkxTRFxvFwck9qK5RAX2F1GQ
+4ELDAFSKr8t6IpiYiTXaA3OTJfxJMK191QARAQABiQI2BBgBCgAgFiEE+vpUb4o1
+pJO7bsCoW1zic5XmVv4FAlpEMFgCGwwACgkQW1zic5XmVv4VEA//dOFj60ktKKsl
+CgRdtnuo9Sdd7IjShic67qoT0gFZRiMATaryM4ifjAcl03rxzGk5MOsltHFJr5h+
+RmaudKhCyksd1nQ2dBpFgPHyxVTS5/k+wMelP9kPailqiGUA735SP5mO/28YOT8v
+Xa4rwnTn6s9Ga7+lMN4I7LKRo47uGG89Og381tHSkW8DjFuLTme3TQDysG2MGlSY
+vTPJmF7xPCuG3s8J5RIrVwWbN0orWen9YWT1923+0CAZG8M+7AFxU5xxCFIBRKMw
+2tw/ovjtE9czuT743LMPlUJRc1pveYjVhLY9xUMQsPO6j41pdIL2X7txFjQqzjFl
+hpIJviupVWlV0vSS0Q7nAtvLTsjhXSyQriKqmfdsdcxXBz7LGRxEi5l/9zuW5GMy
+kD5ikQ05li6wkBdQYLS3ZBYkrj94LpNEqNZE3sfX33Yc5cpE2Bc4Ga+MxYxQwrfz
+sNNSp8jdf2FyFvlvRkO8UUgsW5PPOuwthb05bx7dQGfKvqySpd0JLrhxw8G8odJh
+PGzl0ig4F8xEitMc0lms5yzQGvtpEvSYLUs+4EJaf/XN9nRS+4e+GciTmp9XUM/5
+EtKOKXVuhHyaizqfpF4VR0Tbg65HHE3zLJMr7XTUGC0Zr+bj0n/V177R0XgptY7Y
+jr6SfdNikIDjGYa+yuN6KGQsriza1aA=
+=CYsi
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/t/tests/watch-file-general/desc b/t/tests/watch-file-general/desc
index 100079e..ff1f1fd 100644
--- a/t/tests/watch-file-general/desc
+++ b/t/tests/watch-file-general/desc
@@ -15,4 +15,5 @@ Test-For:
debian-watch-file-uses-deprecated-githubredir
debian-watch-may-check-gpg-signature
debian-watch-uses-insecure-uri
+ debian-watch-could-verify-download
References: Debian Bug#510398
diff --git a/t/tests/watch-file-general/tags b/t/tests/watch-file-general/tags
index ab0ffa6..44ba5fd 100644
--- a/t/tests/watch-file-general/tags
+++ b/t/tests/watch-file-general/tags
@@ -2,6 +2,7 @@ E: watch-file-general source: debian-watch-file-uses-deprecated-githubredir line
I: watch-file-general source: debian-watch-file-should-dversionmangle-not-uversionmangle line 5
I: watch-file-general source: debian-watch-uses-insecure-uri http://insecure.com
P: watch-file-general source: debian-watch-may-check-gpg-signature
+W: watch-file-general source: debian-watch-could-verify-download
W: watch-file-general source: debian-watch-file-declares-multiple-versions line 18
W: watch-file-general source: debian-watch-file-declares-multiple-versions line 7
W: watch-file-general source: debian-watch-file-should-mangle-version line 12
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: