Hello Chris, thanks for your quick action On Thu, Mar 08, 2018 at 06:10:15AM +0000, Chris Lamb wrote: > tags 892255 + pending > thanks > > Fixed in Git, pending upload: > > https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=d951d71b164f99c287c4e244eaa15f306e7cb703 Note there are some dragons (from #debian-devel): 1520499444 < Viiru> ukleinek: So upstream is providing multiple different compressed files and only one signature or some such? 1520499454 < ukleinek> Viiru: ack 1520499460 < Viiru> ukleinek: Do note that this scheme assumes that your decompressor is not an attack vector. 1520499484 < Viiru> (gpg itself is also obviously an attack vector, but that is unavoidable) 1520499494 < jcristau> (and sigs for uncompressed tarballs seem like a bad idea regardless) 1520499567 < Viiru> I'd suggest educating upstream instead of trying to make this scheme work. And with my addition of the .tar.asc I broke the upload processing. (It's not yet entirely clear to me if I added the .tar.asc in a wrong way or if it's mere presence was the problem.) Best regards Uwe
Attachment:
signature.asc
Description: PGP signature