Bug#856128: marked as done (debian-watch-may-check-gpg-signature: false positives)
Your message dated Sun, 8 Dec 2019 17:00:04 -0800
with message-id <CAFHYt54PLvbd6q6ctOQLYfBJzNXuF5J2aG+GSON3VVU3nyrstw@mail.gmail.com>
and subject line Moot two ways
has caused the Debian Bug report #856128,
regarding debian-watch-may-check-gpg-signature: false positives
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
856128: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856128
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: debian-watch-may-check-gpg-signature: false positives
- From: Martin-Éric Racine <martin-eric.racine@iki.fi>
- Date: Sat, 25 Feb 2017 13:04:54 +0000
- Message-id: <148802789405.12600.10144181139300332624.reportbug@voima.lan>
Package: lintian
Version: 2.5.50.1
Severity: normal
It appears that debian-watch-may-check-gpg-signature generates false positives.
On src:cups-pdf Lintian reports debian-watch-may-check-gpg-signature yet upstream does not publish any GPG signature. However, upstream does publish foo.tar.gz.md5 checksums.
By the looks of it, debian-watch-may-check-gpg-signature checks for the presence of foo.tar.gz.* and reports a positive regardless of whether * indeed is a GPG signature or not.
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (800, 'unstable')
Architecture: i386 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages lintian depends on:
ii binutils 2.27.90.20170221-1
ii bzip2 1.0.6-8.1
ii diffstat 1.61-1
ii file 1:5.29-3
ii gettext 0.19.8.1-2
ii intltool-debian 0.35.0+20060710.4
ii libapt-pkg-perl 0.1.30
ii libarchive-zip-perl 1.59-1
ii libclass-accessor-perl 0.34-1
ii libclone-perl 0.38-2+b1
ii libdpkg-perl 1.18.22
ii libemail-valid-perl 1.202-1
ii libfile-basedir-perl 0.07-1
ii libipc-run-perl 0.94-1
ii liblist-moreutils-perl 0.416-1+b1
ii libparse-debianchangelog-perl 1.2.0-12
ii libperl5.24 [libdigest-sha-perl] 5.24.1-1
ii libtext-levenshtein-perl 0.13-1
ii libtimedate-perl 2.3000-2
ii liburi-perl 1.71-1
ii libyaml-libyaml-perl 0.63-2
ii man-db 2.7.6.1-2
ii patchutils 0.3.4-2
ii perl 5.24.1-1
ii t1utils 1.39-2
ii xz-utils 5.2.2-1.2
Versions of packages lintian recommends:
ii dpkg 1.18.22
ii libperlio-gzip-perl 0.19-1+b2
ii perl 5.24.1-1
ii perl-modules-5.24 [libautodie-perl] 5.24.1-1
Versions of packages lintian suggests:
pn binutils-multiarch <none>
ii dpkg-dev 1.18.22
ii libhtml-parser-perl 3.72-3
pn libtext-template-perl <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi Martin-Éric,
> It appears that debian-watch-may-check-gpg-signature generates false positives.
Your complaint reflected a common frustration. The tag had a terrible
name. It is now called debian-watch-does-not-check-gpg-signature. You
probably agree that your package does not check any GPG signatures.
The tag was also marked experimental, which means you may not even see
it. Like other bugs expressing similar sentiments, I believe this one
can be closed.
> The upstream author of CUPS-PDF recently agreed to publish package
> signatures for future releases.
As an upside, you may be able to verify upstream signatures for
cups-pdf in the future, even though I did not see any today. (Lintian
never looked at upstream's MD5 checksums and won't know when GPG
signatures appear.) Closing this bug.
Kind regards
Felix Lechner
--- End Message ---
Reply to: