Bug#1101484: popularity-contest: Cannot build from VCS

[Bill Allombert <ballombe@debian.org>]

On Fri, Mar 28, 2025 at 01:23:19PM +0100, Guillem Jover wrote:
> Hi!
> 
> On Fri, 2025-03-28 at 13:01:47 +0100, Chris Hofstaedtler wrote:
> > * Bill Allombert <ballombe@debian.org> [250328 10:33]:
> > > On Fri, Mar 28, 2025 at 10:02:46AM +0100, Guillem Jover wrote:
> > > > Source: popularity-contest
> > > > Source-Version: 1.78
> > > > Severity: normal
> 
> > > > Was checking the git repo, and noticed that the package cannot be
> > > > built from a git checkout, as it is at least missing the
> > > > debian-popcon.gpg file.
> 
> > > This is intended. You can get this file from the Debian source package.
> > > This way, there is only one official source.
> 
> Hmm, I'm not sure I really understand this rationale, of making the
> git repo unbuildable to mark it as non-official.

Sorry, I did not explain correctly. I meant
'there is only one official source _for debian-popcon.gpg_'.

While debian-popcon.gpg is a public key, the question rests whether this is a
public key corresponding to one of the popcon server private keys. There is no
way for the git repository to ascertain that. Without an account on the popcon
server, the only way is to obtain the official popularity-contest package 
(whether source or binary) provided by the Debian archive, check the chain of
signature and checksums, and use the debian-popcon.gpg file therein.

Cheers,
Bill.