Bug#916207: lintian: debian-watch-does-not-check-gpg-signature certainty considered annoying

To: 916207@bugs.debian.org
Subject: Bug#916207: lintian: debian-watch-does-not-check-gpg-signature certainty considered annoying
From: Scott Kitterman <debian@kitterman.com>
Date: Tue, 11 Dec 2018 14:46:31 -0500
Message-id: <[🔎] 7965062.4veUFBD6Tp@kitterma-e6430>
Reply-to: Scott Kitterman <debian@kitterman.com>, 916207@bugs.debian.org
In-reply-to: <[🔎] CAFHYt56egzQ1d+=Z7qK7fC82gfK=neZjg+cJKi4_7GyeweZ20w@mail.gmail.com>
References: <[🔎] 20181211131604.9996.57083.reportbug@kitterma-E6430> <[🔎] CAFHYt56egzQ1d+=Z7qK7fC82gfK=neZjg+cJKi4_7GyeweZ20w@mail.gmail.com> <[🔎] 20181211131604.9996.57083.reportbug@kitterma-E6430>

On Tuesday, December 11, 2018 10:34:16 AM Felix Lechner wrote:
> Hi Scott,
> 
> Many people find the tag cumbersome, and some people think it should
> go away. At the same time, upstream sources are more trustworthy when
> verified; and that is in the project's overall interest. Could your
> concern be resolved by better naming?
> 
> I process the tag name (it has already been renamed once [1]) as
> "debian-watch-does-not-check-A-gpg-signature." Without a signature
> that is an objective fact.
> 
> On Tue, Dec 11, 2018 at 5:18 AM Scott Kitterman <debian@kitterman.com> 
wrote:
> > As designed, debian-watch-does-not-check-gpg-signature does not check if
> > upstream provides a GPG signature to make checking it possible.
> 
> When I process the name as
> "debian-watch-does-not-check-THE-gpg-signature"---which is maybe the
> way you are reading it---it means the same as
> 'debian-watch-could-verify-download' but the tag does not behave like
> it.
> 
> My suggestion would be to rename the tag to
> 'built-from-unverified-sources' or similar. What do you think?
> 
> > when if there's no upstream signature, it's not at all a problem
> > the maintainer can fix.  "Certainty: possible" seems much more reasonable
> > to me.
> 
> The tag would continue to be of Certainty: certain.

That assumes there's only one way to verify sources.  I think it's too 
generic.

I realize it's virtually impossible to please everyone on things like this.

I think lintian should point out actionable issues.  If upstream doesn't sign 
their releases, there's no action to take here.  I think lintian should either 
grow the ability to see if there's something upstream that's signed based on 
the existing watch file and only flag this issue if there is or change the 
certainty.

I know which of those is easier.

I have more than once seen potential sponsors insist packages be 'lintian 
clean' (including sometimes pedantic) before they would sponsor things.  These 
kinds of unactionable tags cause friction for new contributors.  They are not 
harm free.

Scott K

Reply to:

Follow-Ups:
- Bug#916207: lintian: debian-watch-does-not-check-gpg-signature certainty considered annoying
  - From: Chris Lamb <lamby@debian.org>

References:
- Bug#916207: lintian: debian-watch-does-not-check-gpg-signature certainty considered annoying
  - From: Scott Kitterman <debian@kitterman.com>
- Bug#916207: lintian: debian-watch-does-not-check-gpg-signature certainty considered annoying
  - From: Felix Lechner <felix.lechner@lease-up.com>

Prev by Date: Bug#916207: lintian: debian-watch-does-not-check-gpg-signature certainty considered annoying
Next by Date: Bug#916021: lintian: Please check for references to build directory
Previous by thread: Bug#916207: lintian: debian-watch-does-not-check-gpg-signature certainty considered annoying
Next by thread: Bug#916207: lintian: debian-watch-does-not-check-gpg-signature certainty considered annoying
Index(es):
- Date
- Thread