[Pkg-gnupg-maint] Bug#711744: Bug#711744: [gnupg] Please check signature files when getting new orig.tar.gz
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Jan 12 16:40:55 UTC 2014
Control: clone 711744 -1
Control: reassign -1 devscripts
Control: retitle -1 uscan should abort if pgpsigmangleurl but no upstream-signing-key.pgp
On Tue 2014-01-07 04:48:58 -0500, Thijs Kinkhorst wrote:
> On Sun, December 15, 2013 19:44, Daniel Kahn Gillmor wrote:
>> uscan should fail (return non-zero) if pgpsigmangleurl is present and
>> anything prevents full validation of the upstream source.
>
> if the upstream-signing-key.pgp is missing, uscan will happily
> download the tarball without any verification and with return code 0, I
> think that's not expected?
>
> $ uscan --verbose
> -- Scanning for watchfiles in .
> -- Found watchfile in ./debian
> -- In debian/watch, processing watchfile line:
> opts="pasv,pgpsigurlmangle=s/$/.sig/" http://gnupg.org/download/.*/gnupg-(1\..*)\.tar\.gz
> uscan warning: pgpsigurlmangle option exists, but debian/upstream-signing-key.pgp does not exist,
I agree this is a problem, and uscan should probably fail hard here
instead of just warning.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20140112/16c8842b/attachment.sig>
More information about the Pkg-gnupg-maint
mailing list