[Pkg-gnupg-maint] Bug#711744: Bug#711744: [gnupg] Please check signature files when getting new orig.tar.gz
Thijs Kinkhorst
thijs at debian.org
Tue Jan 7 09:48:58 UTC 2014
On Sun, December 15, 2013 19:44, Daniel Kahn Gillmor wrote:
> On 12/13/2013 03:33 AM, Thijs Kinkhorst wrote:
>> Well, the idea of making it invalid was to see if the download would
>> actually fail on that.
>
> uscan should fail (return non-zero) if pgpsigmangleurl is present and
> anything prevents full validation of the upstream source.
OK, I gave it another try.
Firstly, it seems like the watch file in this bug accidentally drops the
required "pasv" option. When I re-add that, the downloading of the
orig.tar.gz works again, but the downloading of the signature fails. Does
that code not use the pasv option?
$ uscan --verbose
-- Scanning for watchfiles in .
-- Found watchfile in ./debian
-- In debian/watch, processing watchfile line:
opts="pasv,pgpsigurlmangle=s/$/.sig/" http://gnupg.org/download/
.*/gnupg-(1\..*)\.tar\.gz
-- Found the following matching hrefs:
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.16.tar.gz (1.4.16)
Newest version on remote site is 1.4.16, local version is 1.4.15
=> Newer version available from
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.16.tar.gz
-- Downloading updated package gnupg-1.4.16.tar.gz
-- Downloading OpenPGP signature for package as gnupg-1.4.16.tar.gz.pgp
uscan warning: In directory ., downloading OpenPGP signature
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.16.tar.gz failed: 400 FTP
return code 150
Also, if the upstream-signing-key.pgp is missing, uscan will happily
download the tarball without any verification and with return code 0, I
think that's not expected?
$ uscan --verbose
-- Scanning for watchfiles in .
-- Found watchfile in ./debian
-- In debian/watch, processing watchfile line:
opts="pasv,pgpsigurlmangle=s/$/.sig/" http://gnupg.org/download/
.*/gnupg-(1\..*)\.tar\.gz
uscan warning: pgpsigurlmangle option exists, but
debian/upstream-signing-key.pgp does not exist,
ignoring in debian/watch:
http://gnupg.org/download/ .*/gnupg-(1\..*)\.tar\.gz
-- Found the following matching hrefs:
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.16.tar.gz (1.4.16)
Newest version on remote site is 1.4.16, local version is 1.4.15
=> Newer version available from
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.16.tar.gz
-- Downloading updated package gnupg-1.4.16.tar.gz
-- Successfully downloaded updated package gnupg-1.4.16.tar.gz
and symlinked gnupg_1.4.16.orig.tar.gz to it
-- Scan finished
$ echo $?
0
Cheers,
Thijs
More information about the Pkg-gnupg-maint
mailing list