[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian/upstream/signing-key.asc in policy 4.1.0

Hi,

On Sun, Aug 27, 2017 at 08:51:49PM -0300, Henrique de Moraes Holschuh wrote:
> On Wed, 23 Aug 2017, Russ Allbery wrote:
> > Note that this Policy language is carefully written to make it perfectly
> > fine for uscan to support all the things it currently supports, since it
> > only talks about what Policy recommends the maintainer does.  So don't
> > feel any obligation to change what uscan is doing on Policy's account
> > here.
> 
> Actually, the text in 4.1.0.0 might be doing too much.  It reads:
> 
> "If the upstream maintainer of the software provides OpenPGP signatures
> for new releases, including the information required for "uscan" to
> verify signatures for new upstream releases is also recommended. To do
> this, use the "pgpsigurlmangle" option in "debian/watch" to specify
> the location of the upstream signature, and include the key or keys
> used to sign upstream releases in the Debian source package as
> "debian/upstream/signing-key.asc".
> 
> IMO, it should either not be mandating uscan internals, or it should be

In principle, you comment is a very reasonable one.

> very clear about the exact subset of stuff we can use in debian/watch
> (version, etc).  For example, I'd rather use opt="..., pgpmode=auto,..."
> instead of explicitly hardcoding a "pgpsigurlmangle".

The new pgpmode=auto and pgpmode=previous have bugs and fail to function
smoothly ---  #873289 #852537  Excuse me for these bugs.  The fixes have
been committed to git.  I am hoping the next upload of devscripts (and
its backport) will fix them.  So "pgpsigurlmangle" is the only good way
at this moment.
 
> IMHO, just drop everything from "To do this..." to the end of that
> paragraph entirely.  HOW one gets "uscan" to fetch and check upstream
> signatures is a job for the uscan(1) manpage.  Alternatively, just
> mention "debian/watch", and to refer to the uscan documentation in
> package "devscripts".

Once pgpmode=auto becomes noise free, this should be the preferred
choice.  It will be nice to address #833012, too, using s/\?/.asc?/ etc.
to make it really default one.

So for now, the policy text is better for me.

> OTOH, if we really need to mandate a specific level of debian/watch
> support, the current text in policy needs work: it doesn't even tell me
> whether I can use version=3 (supported in oldstable), or version=4
> (supported in oldstable-backports and stable), for example...

The uscan version=3/version=4 difference is not much about enhanced
mangling rules.  It's about how uupdate is invoked and how uupdate
creates the updated source tree.  version=4 uses dpkg-source as back-end
and capable of generating multi-upstream tarball.

If you use new uscan, even with a watch file marked as version=3, it has
access to the enhanced mangling rules.

Osamu
Reply to: