Re: Questions before my first upload attempt

[Johan Van de Wauw <johan.vandewauw@gmail.com>]

On Fri, Aug 21, 2015 at 11:33 PM, Thomas Schmitt <scdbackup@gmx.net> wrote:
> Hi,
>
> after some fight with the keyring i am able to produce
> signed packages on sid.
>
> Will this warning be a problem ?
>
>   $ gpg --verify ../libisoburn_1.4.0-1.1_source.changes
>   gpg: Signature made Fri 21 Aug 2015 10:44:01 PM CEST using DSA key ID ABC0A854
>   gpg: Good signature from "Thomas Schmitt <scdbackup@gmx.net>"
>   gpg: WARNING: This key is not certified with a trusted signature!
>   gpg:          There is no indication that the signature belongs to the owner.
>   Primary key fingerprint: 44BC 9FD0 D688 EB00 7C4D  D029 E9CB DFC0 ABC0 A854

This indicates that you have not set a trust level for that key. If you run
gpg --edit-key  ABC0A854
type "trust" and set to: I trust fully (or whatever you trust yourself :-))

> ---------------------------------------------------------------
>
> I need a translator from debian-speak to english (or german).
>
> My first runs of debuild showed lintian warnings, which i could
> silence, except this class from debuild -b:
>
>   W: libburn4: hardening-no-relro usr/lib/libburn.so.4.93.0
>   W: cdrskin: hardening-no-relro usr/bin/cdrskin
>   W: libisofs6: hardening-no-relro usr/lib/libisofs.so.6.76.0
>   W: libisoburn1: hardening-no-relro usr/lib/libisoburn.so.1.97.0
>   W: xorriso: hardening-no-relro usr/bin/xorriso
>
> "This package was likely not built with the default
>  Debian compiler flags defined by dpkg-buildflags."
>
> What does it want me to do ?
> Where ? In debian/rules ? In upstream ? Examples available ?
What debhelper version are you using (check debian/compat). Try going
to 9, if that does not help: share your packaging work, it is hard to
find out without seeing the code.
More explanations here: https://wiki.debian.org/HardeningWalkthrough

>
> --------------------------------------------------------------
> Riddle:
>
> During my work something caused unconditional regeneration
> of unpacked
>   libisoburn-1.4.0/xorriso/xorrecord.info
> The versions of makeinfo differ between release machine
> and sid, which causes different .info result.
> In subsequent runs of debuild this causes a complaint
> about uncommitted changes.
>
> The makeinfo run is indeed in my upstream autotools empire.
> But it should only trigger if .info is missing or outdated.
> In a build run out of the upstream tarball, the makeinfo
> run is not triggered. On the same sid.
>
> Only one of three .info gets regenerated in this way:
>   -rw-r--r-- 1 thomas thomas  41768 Aug 21 22:25 xorriso/xorrecord.info
>   -rw-r--r-- 1 thomas thomas 291521 Aug 21 14:56 xorriso/xorriso.info
>   -rw-r--r-- 1 thomas thomas 108424 Aug 21 14:56 xorriso/xorrisofs.info
>

>
> What is the magic difference between tar xzf and cp ?
> Why does it not happen with ./configure && make
> from upstream tarball ?
I suppose it is this: copying will set the timestamp at the time of
copying, so make (or another tool) does not detect a changed version:
the generated version is newer than it sources. When extracting you
get the original timestamp.

Kind Regards,
Johan