Bug#920763: lintian: orig-tarball-missing-upstream-signature interacts poorly with mode=git,pgpmode=gittag
On Tue 2019-02-26 14:24:11 +0000, Chris Lamb wrote:
> [ dkg wrote: ]
>> Ideally, lintian would verify that there exists a signed tag in the git
>> repo found at Vcs-Git: (from d/control) […]
>
> Lintian "cannot" talk to external sources, so this is out alas…
How about talking to the local git repository, if it's operating in one?
does that count as an "external" source? if not, perhaps this should be
a separate lintian warning:
If mode=git,pgpmode=gittag, and the local working copy is itself a git
repository:
* check if the tag appears
* check that the tag matches the orig tarball
* check that the tag is cryptographically signed by
debian/upstream/signing-key.asc
If any of these three checks fail, maybe that's worth a warning?
--dkg
Reply to: