[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Linitian orig-tarball-missing-upstream-signature

On Mon, Jul 31, 2017 at 5:41 AM, Christian Seiler wrote:
> On 07/31/2017 11:34 AM, Andrey Rahmatullin wrote:
>> uscan isn't used, or needed, in the git-only workflow at all.
>
> In purely git workflows (that pull remote git tags), sure, but
> then you'd not have debian/watch

That isn't necessarily true, since uscan now supports searching git
remotes for the latest tag. So you could have debian/watch (and
potentially an upstream signing keyring for verifying tags/commits)
but not any upstream tarball signature, since the tarball would be
generated by `git archive` run from mk-origtargz.

> And there I do want uscan to actually check the signature of
> the new orig tarball it downloads. But that also means that as
> I'm using the orig tarball from upstream (and pristine-tar is
> just a weird way of storing it) I think it is semantically
> correct to include the .asc files in the .changes file.

Perhaps you need pristine-tar to also store the .asc file and check it
out when appropriate.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
Reply to: