Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag

To: Chris Lamb <lamby@debian.org>, 920763@bugs.debian.org
Subject: Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Tue, 26 Feb 2019 12:44:32 -0500
Message-id: <[🔎] 875zt6molb.fsf@fifthhorseman.net>
Reply-to: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 920763@bugs.debian.org
In-reply-to: <[🔎] 1551191051.3778672.1663862888.144B547F@webmail.messagingengine.com>
References: <154870681980.29950.12867026500568220028.reportbug@alice.fifthhorseman.net> <1548750590.4098900.1645903600.28E68FCC@webmail.messagingengine.com> <154870681980.29950.12867026500568220028.reportbug@alice.fifthhorseman.net> <[🔎] 87sgwbm0v8.fsf@fifthhorseman.net> <[🔎] 1551191051.3778672.1663862888.144B547F@webmail.messagingengine.com> <154870681980.29950.12867026500568220028.reportbug@alice.fifthhorseman.net>

On Tue 2019-02-26 14:24:11 +0000, Chris Lamb wrote:
> [ dkg wrote: ]
>> Ideally, lintian would verify that there exists a signed tag in the git
>> repo found at Vcs-Git: (from d/control) […]
>
> Lintian "cannot" talk to external sources, so this is out alas…

How about talking to the local git repository, if it's operating in one?
does that count as an "external" source? if not, perhaps this should be
a separate lintian warning:

If mode=git,pgpmode=gittag, and the local working copy is itself a git
repository:

 * check if the tag appears
 * check that the tag matches the orig tarball
 * check that the tag is cryptographically signed by
   debian/upstream/signing-key.asc

If any of these three checks fail, maybe that's worth a warning?

      --dkg

Reply to:

Follow-Ups:
- Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
  - From: "Chris Lamb" <lamby@debian.org>

References:
- Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Processed: Re: lintian: Check for debian/tests/pkg-js/test if "dh --with nodejs" is used
Next by Date: Build failed in Jenkins: lintian-tests_sid #3522
Previous by thread: Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
Next by thread: Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
Index(es):
- Date
- Thread