Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag

[Daniel Kahn Gillmor <dkg@fifthhorseman.net>]

Control: tags 920763 - moreinfo

Hi Chris--

On Tue 2019-01-29 09:29:50 +0100, Chris Lamb wrote:
> Probably a silly question for this time in the morning but what is
> stopping you extracting the associated signature and calling it
> $origname.asc?

the signature matches the git commit, but not the tarball.  If we have a
$origname.asc i think it's expected to be verifiable via:

    gpgv $origname.asc $origname

but that would pretty clearly fail.

> (If this is not possible/sensible/whatever, if Lintian essentially
> grepped debian/watch, would that be good enough?)

Ideally, lintian would verify that there exists a signed tag in the git
repo found at Vcs-Git: (from d/control), which matches the name of
upstream-tag (from d/gbp.conf), and whose contents corresponds to the
expected contents of the orig.tar.gz (presumably with a standardized
prefix).  One approach would be to:

 * identify the tag by its expected name
 * cryptogrpahically verify it
 * extract the expected archive from the git repo via sth. like
   git archive --format=tar --prefix=$pkgname-$origversion/ 
   piped through the expected buildpackage.compression value (from d/gbp.conf)
 * compare it bytewise with $origname

I suspect that will work in most cases, though i don't know whether git
has explicitly committed to a stable output for git archive
--format=tar.

If going that far is too fancy for lintian for now, then a simple grep
of d/watch would do for starters, and we could just convert this bug
report to a suggestion for future lintian enhancement.

Regards,

       --dkg