Your message dated Sat, 07 Mar 2026 10:09:24 +0100
with message-id <[email protected]>
and subject line Re: watch(5): mention Pgpmode: and Pgp-mode: as aliases of
Pgp-Mode:
has caused the Debian Bug report #1129985,
regarding watch(5): mention Pgpmode: and Pgp-mode: as aliases of Pgp-Mode:
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129985: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129985
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: devscripts
Version: 2.25.22~bpo13+1
Severity: wishlist
Could you document that debian/watch supports not only 'Pgp-Mode:' but
that also 'Pgpmode:' is an alias that means the same thing?
See below for discussion related to lintian not knowing about both tags,
which is due to lack of documentation about this. Uscan already
supports 'Pgpmode:' too, it seems, and the field appears to be used in
many packages.
I think it is too late to try to enforce any right or wrong here, and
simpler to just document that both tags works.
/Simon
Nilesh Patra <[email protected]> writes:
> On 07/03/26 1:30 pm, Simon Josefsson wrote:
>> Nilesh Patra <[email protected]> writes:
>>
>>> On 07/03/26 1:03 pm, Simon Josefsson wrote:
>>>> Package: lintian
>>>> Version: 2.122.0
>>>>
>>>> Hi!
>>>>
>>>> It seems orig-tarball-missing-upstream-signature is enabled at Warning
>>>> severity level when debian/upstream/signing-key.asc exists but there is
>>>> no *.asc PGP tarball signature, see lintian complaint below.
>>>>
>>>> However 'ding-libs' is using upstream git as the source, and upstream
>>>> uses PGP signed tags, as explained by debian/watch:
>>>>
>>>> Version: 5
>>>> Source: https://github.com/SSSD/ding-libs.git
>>>> Matching-Pattern: refs/tags/@ANY_VERSION@
>>>> Mode: git
>>>> Pgpmode: gittag
>>>>
>>>> For that PGP git tag verification to work, a PGP key is needed, and I
>>>> believe uscan and other tools uses debian/upstream/signing-key.asc for
>>>> verifying PGP-signed git tags, and has done so for a long time now.
>>>>
>>>> Thus, I think orig-tarball-missing-upstream-signature should be modified
>>>> to not trigger, at least not at warning level, when PGP-signed git tags
>>>> are used.
>>>>
>>>> I did not see PGP-signed git tags discussed in #954743 and #872864 but
>>>> could have missed it, so I think this is a somewhat different situation
>>>
>>> That is already the case, lintian checks for "Pgp-Mode: gittag" and does
>>> not emit it for the same. Pgp-Mode is documented in d/watch manpage[1].
>>>
>>> Your package uses "Pgpmode: gittag" which is either wrong or not documented
>>> in the manpage. Do you know if it's the latter case? If so, I will add this.
>>
>> D'uh! Thank you for spotting that. This is cut'n'paste code, so I'm
>> pretty sure this was coming from some other package.
>
> Yes. I see quite a few of them
>
> https://codesearch.debian.net/search?q=path%3Adebian%2Fwatch+Pgpmode%3A&literal=1
>
>> Uscan seems to be performing PGP verification here, snippet from
>> complete output below:
>>
>> uscan info: => Package is up to date from:
>> => https://github.com/SSSD/ding-libs.git refs/tags/0.7.0
>> uscan info: => Forcing download as requested
>> uscan info: Downloading and overwriting existing file: ding-libs-0.7.0.tar.xz
>> uscan info: Successfully downloaded package: ding-libs-0.7.0.tar.xz
>> gpgv: Signature made Mon Mar 2 11:50:45 2026 CET
>> gpgv: using RSA key 930201AAB42DD1947210B7838D7326351A726211
>> gpgv: Good signature from "Alexey Tikhonov <[email protected]>"
>> uscan info: New orig.tar.* tarball version (oversionmangled): 0.7.0
>>
>> So presumably uscan supports 'Pgpmode:' too.
>
> Can I ask you to open a bug against devscripts and ask them to either
>
> a) document this
> or
> b) fix this if it is not expected?
>
> Maybe you could just re-assign this bug for the context.
>
>> I confirmed that changing debian/watch to 'Pgp-Mode: gittag' silenced
>> lintian.
>>
>> I still get the warning with 'Pgp-mode: gittag'. Is the header supposed
>> to be case sensitive?
>
> Yes.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Closing because it was already documented implicitly:
https://dyn.manpages.debian.org/testing/devscripts/debian-watch.5.en.html?
- Key names are case-insensitive.
- Hyphens in key names are ignored. Matching-Pattern is equivalent to
Matchingpattern
/Simon
signature.asc
Description: PGP signature
--- End Message ---
