nmap: open points

Subject: nmap: open points
From: lukas@schwaighofer.name (Lukas Schwaighofer)
Date: Sun, 17 Sep 2017 11:03:43 +0200
Message-id: <[🔎] 20170917110343.1cf02c0c@localhost>
In-reply-to: <[🔎] 87efr6jmew.fsf@msgid.hilluzination.de>
References: <[🔎] 20170915184326.2eb01195@localhost> <[🔎] 8760cjq3ss.fsf@msgid.hilluzination.de> <[🔎] 20170915230526.36e48ab4@localhost> <[🔎] 87efr6jmew.fsf@msgid.hilluzination.de>

On Sun, 17 Sep 2017 00:42:15 +0200
Hilko Bengen <bengen at debian.org> wrote:

> I have uploaded nmap/7.60+dfsg1-1 and uploaded the tag to the git
> repo.

Nice, thanks! :)

> A thing I missed before is that Lintian complains because of the
> repacked tarball:
> 
> E: nmap changes: orig-tarball-missing-upstream-signature
> nmap_7.60+dfsg1.orig.tar.xz
> 
> I suppose that the key can still be useful when importing new upstream
> versions, though.

I had noticed it but ignored it, since upstream gpg signature handling
is on my list of things that should be improved in Debian.  I had
intended to make a proper writeup of my findings, but since I don't
know when that'll be, I'll post a short summary now:

* the lintian orig-tarball-missing-upstream-signature tag is only
  emitted when lintian processes the changes file, not when processing
  the dsc file (so this tag won't be visible on e.g. tracker)

* there is no support in gbp (we would need to add upstream's signature
  e.g. to the pristine-tar branch or in an additional branch); when
  building the souce package from git and we want the signature
  included:
  - we have to call `uscan -dd` to actually download the signature file
    (or download it manually from upstream)
  - we have to rename the signature file so it matches the orig.tar.*
  - when using the gbp "export-dir" option, we have to move the
    signature file into the same directory before calling `gbp
    buildpackage` to allow dpkg-source to pick it up when called

I haven't really thought about repacks yet, but I kept the signing key
in nmap for the same reason Hilko mentioned:  I like it that my
`gbp import-orig --uscan` checks the signature.

An example that suffered from limited tooling support is our acct
package: it does have a debian/upstream/signing-key.asc file, yet at
least the last uploads don't contain upstream's signature.  Even worse,
nobody noticed that upstream switched from the dsa1024 to a new rsa4096
key since version 6.6.3.  The package appears to be lintian clean on
tracker, nothing about this problem shows up in the "full" lintian
report created by the latest released lintian version?[1].

If someone here wants to move forward trying to get better support for
signature files into lintian and gbp, please do so :) .  Otherwise, as
said, it's also on my TODO list so I'll get to doing it sooner or later.

Regards
Lukas

[1]?https://lintian.debian.org/full/pkg-security-team at lists.alioth.debian.org.html#acct_6.6.4-1

Reply to:

References:
- nmap: open points
  - From: lukas@schwaighofer.name (Lukas Schwaighofer)
- nmap: open points
  - From: bengen@debian.org (Hilko Bengen)
- nmap: open points
  - From: lukas@schwaighofer.name (Lukas Schwaighofer)
- nmap: open points
  - From: bengen@debian.org (Hilko Bengen)

Prev by Date: wifite 2.0.87+git20170515.918a499-1 MIGRATED to testing
Next by Date: Bug#714925: nmap: [REGRESSION 5.00-3 -> 6.00-0.3] -sP fails with "nexthost: failed to determine route to X.X.X.X"
Previous by thread: nmap: open points
Next by thread: Nous avons les solutions
Index(es):
- Date
- Thread