On Thu, December 12, 2013 21:35, Franz Schrober wrote: >> >> Thanks, However, this doesn't work for me. If I put random data in the >> .pgp file it will download the orig.tar.gz blindly. Is this expected? >> (I'm >> using sid.) > > What *.pgp? The watch file was configured to scan for *sig files. And yes, > the debian/upstream-signing-key.pgp has to be a valid keyring (which the > debian package maintainer provides) and is the one which is used to check > against. I don't think the author intended that it can be invalid but it > should still download it and tell you that it is an invalid packet and > warn you about it.
Well, the idea of making it invalid was to see if the download would actually fail on that. > I've Cc'ed the author of this feature to discuss it with you. But I just > checked it with following scenario: > > 1. write a correct watchfile + debian/upstream-signing-key.pgp > 2. test it (should download both signature and file) > 3. change the debian/watch to a wrong ending > 4. delete previous downloaded files > 5. use uscan again > 6. look weird around because the file still exists even when the signature > could not be checked because of this 404. It also doesn't generate a > failure returncode Thanks. In any case, given the seemingly endless supply of security bugs being discovered in uscan I'm going to hold off on this for a while now. cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org