Your message dated Sun, 04 Sep 2022 13:04:05 +0000
with message-id <[email protected]>
and subject line Bug#964286: fixed in dgit 10.0
has caused the Debian Bug report #964286,
regarding dgit: Incorrect use of Dpkg::Source::Package argument
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
964286: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964286
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: src:dpkg
Version: 1.20.2
User: [email protected]
Usertags: breaks
Affects: dgit
Hi. My grep-excuses says:
> autopkgtest regression
> in dgit (9.11) on amd64
> due to dpkg (1.19.7 to 1.20.2)
> test info
> REGRESSION
> https://ci.debian.net/data/autopkgtest/testing/amd64/d/dgit/6073505/log.gz
> https://ci.debian.net/packages/d/dgit/testing/amd64
> null
> https://ci.debian.net/api/v1/retry/6073505
The relevant part of the log says:
+ dgit --dgit=dgit --dget:-u
--dput:--config=/tmp/autopkgtest-lxc.8prm8y9v/downtmp/autopkgtest_tmp/dput.cf
--config-lookup-explode=dgit-distro.debian.alias-canon -dtest-dummy -D
-kBCD22CD83243B79D3DFAC33EA3DBCBC039B13D8A import-dsc
../mirror/pool/main/example_1.2.dsc t.1.2
| git rev-parse --show-toplevel
=> `/tmp/autopkgtest-lxc.8prm8y9v/downtmp/autopkgtest_tmp/example'
| git config -z --get-regexp --local '.*'
| git config -z --get-regexp --local '.*'
| git config -z --get-regexp --global '.*'
| git config -z --get-regexp --system '.*'
| git check-ref-format --normalize refs/heads/t.1.2
=> `refs/heads/t.1.2'
| git symbolic-ref -q HEAD
=> `refs/heads/master'
| git for-each-ref '--format=%(objectname)' '[r]efs/heads/t.1.2'
=> `'
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource
'/tmp/autopkgtest-lxc.8prm8y9v/downtmp/autopkgtest_tmp/gnupg/trustedkeys.kbx':
General error
gpgv: Signature made Sun Jun 28 07:40:07 2020 UTC
gpgv: using RSA key BCD22CD83243B79D3DFAC33EA3DBCBC039B13D8A
gpgv: Can't check signature: No public key
dgit: error: failed to verify signature on ../mirror/pool/main/example_1.2.dsc
+ rc=255
+ set +x
%%%%%%%%%%%%%%%%%%%% EXITING 255 %%%%%%%%%%%%%%%%%%%%
Most relevant logs are just before assignment rc=255
Will now do cleanup etc.
The string "failed to verify signature" is not generated by code in
dgit. Looking at the code in dgit, I think the error happens here:
my $dp = new Dpkg::Source::Package filename => $dscfn,
require_valid_signature => $needsig;
{
local $SIG{__WARN__} = sub {
print STDERR $_[0];
return unless $needsig;
fail __ "import-dsc signature check failed";
};
if (!$dp->is_signed()) {
warn f_ "%s: warning: importing unsigned .dsc\n", $us;
} else {
my $r = $dp->check_signature();
confess "->check_signature => $r" if $needsig && $r;
}
}
I think this rather complex code is trying to deal with API
compatibility issues surrounding require_valid_signature etc. Anyway,
I think the message is generated by the call to
Dpkg::Source::Package::new. I think that function inserted $0 into
the error message.
I don't know why it is verifying the signature. I think in this
particular test $needsig is 0. I searched the code for the variable
and the only place dgit sets it trueish is if dgit import-dsc is
told --require-valid-signature.
So I don't know what a "trustedkeys.kbx" file is or why I need one
now. (dgit's test suite naturally has a set of test keys, so it has
its own idea of the public keys to use for signature verifications.
But this test case should not involve any of that.)
FYI this is currently preventing the migration of the new dpkg.
>From the above it seems to me that that migration block is correct
because src:dpkg has a regression here.
Thanks,
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
--- End Message ---
--- Begin Message ---
Source: dgit
Source-Version: 10.0
Done: Ian Jackson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dgit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ian Jackson <[email protected]> (supplier of updated dgit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 04 Sep 2022 13:43:34 +0100
Source: dgit
Architecture: source
Version: 10.0
Distribution: unstable
Urgency: medium
Maintainer: Ian Jackson <[email protected]>
Changed-By: Ian Jackson <[email protected]>
Closes: 964286 973896 992606 995056 1018143 1018984
Changes:
dgit (10.0) unstable; urgency=medium
.
Major command line change - dgit push vs push-built:
* Introduce "dgit push-built", meaning what "dgit push" does now.
* Make "dgit push" a configurable alias, which by default warns about
future incompatibility and then runs "dgit push-built". See dgit(1).
* Docs: generally recommend "push-source" rather than "push".
[Report from Osamu Aoki] Closes:#992606.
.
New feature, and change to recommended usage:
* Provide --quilt=single, and no longer recommend single-debian-patch
anywhere (since it can go badly wrong). Closes:#1018984.
.
Handling of unusual kinds of change to upstream files, during quilt fixup:
* Don't use dpkg-source --commit, but git diff.
* Handle exectutability changes. Closes:#995056. [Report from Peter Green]
* Reject all changes to symlinks (including symlink creation).
* With dpkg single-debian-patch, pass --include-removal to dpkg-source -b.
* Now we can make any diff that dpkg-source can cope with. Closes:#1018143.
.
Changes related to --dry-run and --damp-run:
* dgit(1): Demote, and add caveats describing their behaviours.
Closes:#973896. [Report from Wookey]
* dry run: Fix a handful of bugs (and improve a message).
.
Other:
* dgit: Pass require_valid_signature to Dpkg::Source::Package
in the correct manner. Closes: #964286. [Guillem Jover]
.
Internal:
* Refactorings and commentary, to support the other changes.
* Consequential updates to tests.
* More comprehensive testing of unusual upstream changes.
Checksums-Sha1:
32626074271e0711adcf0006c61abf62d7509e26 1846 dgit_10.0.dsc
898cfdf01df673f6710a1ba5c9c7a21efda20665 669091 dgit_10.0.tar.gz
Checksums-Sha256:
df252839212d4070229b6d9321b2a08e2e7381e69b525f016b0aebbd6ebc2110 1846
dgit_10.0.dsc
2782bade2c361b6e5557818d46932fc2670b943e7ccb3bfcd4f4248493de6235 669091
dgit_10.0.tar.gz
Files:
1a2548a091e4a1856ce9606080b58018 1846 devel optional dgit_10.0.dsc
1fd6c0ed8b523467effcce43823f22bc 669091 devel optional dgit_10.0.tar.gz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEVZrkbC1rbTJl58uh4+M5I0i1DTkFAmMUnbkACgkQ4+M5I0i1
DTmwsQf/ReoQ+/OHZ7IXjUlwtrOHAKcBMhvxdr9L6rCmUghbbYVnJ/nwR+aJc4Ws
ENFF8KWH2JslGfiq4V96dLgynBC43eo8j4vlGXZlkAMvh9ubX5AnLw695XUel5/z
ZhbqLQ4ciUVUcCmZZtjSFEpUtPUjzOrtZhRx66EEL3cxH7tHNmzbU+jR4zuLCcj8
untU9DD4ygssGPjN+ptTIr812Cd3UDPvi8Y66iUC/4daI6BDL5ZbuZu6CNu0gicE
v7b0NOn2a9Ex9WibxBaTA+Q4/GssDvP02nyyHzUSNbQr7agTEMI9c6RDPx11DizM
ncJOI936nqavVVvqeNz9+lCsZf9Bkw==
=5Cqj
-----END PGP SIGNATURE-----
--- End Message ---
