Bug#856128: debian-watch-may-check-gpg-signature: false positives

2018-10-26 Thread Chris Lamb 
Mattia Rizzolo wrote:

> Yes, if upstream does not publish gpg signatures, you are stuck with
> that tag.  You may override it if you wish so (I personally wouldn't),
> but the idea is that you should talk with upstream and "convince" him to
> start doing so.

Martin-Éric, does this resolve your query? If so, please go ahead and
close this bug. Thanks!


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#856128: debian-watch-may-check-gpg-signature: false positives

2017-02-26 Thread Mattia Rizzolo 
On Sun, Feb 26, 2017 at 01:13:47PM +0200, Martin-Éric Racine wrote:
> No, it does not. Adding a pgpurlmangle option won't magically make
> upstream produce GPG signatures.

Oh, sorry, I misread your first email, reading that your upstream does
provide signatures, and even with that lintian was nagging you.

Yes, if upstream does not publish gpg signatures, you are stuck with
that tag.  You may override it if you wish so (I personally wouldn't),
but the idea is that you should talk with upstream and "convince" him to
start doing so.

> However, upstream does publish foo.tar.gz.md5 checksums.

MD5 is useless and is nearly as good nothing for integrity checking.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Bug#856128: debian-watch-may-check-gpg-signature: false positives

2017-02-26 Thread Martin-Éric Racine 
2017-02-26 12:07 GMT+02:00 Mattia Rizzolo :
> Control: tag -1 moreinfo
>
> On Sat, Feb 25, 2017 at 01:04:54PM +, Martin-Éric Racine wrote:
>> It appears that debian-watch-may-check-gpg-signature generates false 
>> positives.
>>
>> On src:cups-pdf Lintian reports debian-watch-may-check-gpg-signature
>> yet upstream does not publish any GPG signature. However, upstream
>> does publish foo.tar.gz.md5 checksums.
>
> lintian has no knowledge, nor has any way to know that a given upstream
> publish gpg signatures…

On what basis does it report the error then?

> the problem is that your watch file does not check for a gpg signature,
> exactly as the tag says.  And as the tag description says:

It does not check for it because upstream does not provide any.

> N:   If upstream distributions provide such signatures, please use the
> N:   pgpsigurlmangle options in this watch file's opts= to generate the URL
> N:   of an upstream GPG signature. This signature is automatically
> N:   downloaded and verified against a keyring stored in
> N:   debian/upstream/signing-key.asc.
>
>
> (instead of pgpsigurlmangle you can use pgpmode=auto if uscan is clever
> enough for this case)
>
>
> does this solve your issue?

No, it does not. Adding a pgpurlmangle option won't magically make
upstream produce GPG signatures.

Martin-Éric

Processed: Re: Bug#856128: debian-watch-may-check-gpg-signature: false positives

2017-02-26 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 moreinfo
Bug #856128 [lintian] debian-watch-may-check-gpg-signature: false positives
Added tag(s) moreinfo.

-- 
856128: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856128
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#856128: debian-watch-may-check-gpg-signature: false positives

2017-02-26 Thread Mattia Rizzolo 
Control: tag -1 moreinfo

On Sat, Feb 25, 2017 at 01:04:54PM +, Martin-Éric Racine wrote:
> It appears that debian-watch-may-check-gpg-signature generates false 
> positives.
> 
> On src:cups-pdf Lintian reports debian-watch-may-check-gpg-signature
> yet upstream does not publish any GPG signature. However, upstream
> does publish foo.tar.gz.md5 checksums.

lintian has no knowledge, nor has any way to know that a given upstream
publish gpg signatures…

> By the looks of it, debian-watch-may-check-gpg-signature checks for
> the presence of foo.tar.gz.* and reports a positive regardless of
> whether * indeed is a GPG signature or not.

How do you infer that?  I find the relevant code pretty clear:

|$withgpgverification = 1
|  if /^pgpsigurlmangle\s*=\s*/;
|$withgpgverification = 1
|  if /^pgpmode\s*=\s*(?!none\s*$)\S.*$/;
|
|tag 'debian-watch-may-check-gpg-signature' unless ($withgpgverification);


the problem is that your watch file does not check for a gpg signature,
exactly as the tag says.  And as the tag description says:

N:   If upstream distributions provide such signatures, please use the
N:   pgpsigurlmangle options in this watch file's opts= to generate the URL
N:   of an upstream GPG signature. This signature is automatically
N:   downloaded and verified against a keyring stored in
N:   debian/upstream/signing-key.asc.


(instead of pgpsigurlmangle you can use pgpmode=auto if uscan is clever
enough for this case)


does this solve your issue?

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Bug#856128: debian-watch-may-check-gpg-signature: false positives

2017-02-25 Thread Martin-Éric Racine 
Package: lintian
Version: 2.5.50.1
Severity: normal

It appears that debian-watch-may-check-gpg-signature generates false positives.

On src:cups-pdf Lintian reports debian-watch-may-check-gpg-signature yet 
upstream does not publish any GPG signature. However, upstream does publish 
foo.tar.gz.md5 checksums. 

By the looks of it, debian-watch-may-check-gpg-signature checks for the 
presence of foo.tar.gz.* and reports a positive regardless of whether * indeed 
is a GPG signature or not.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (800, 'unstable')
Architecture: i386 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages lintian depends on:
ii  binutils  2.27.90.20170221-1
ii  bzip2 1.0.6-8.1
ii  diffstat  1.61-1
ii  file  1:5.29-3
ii  gettext   0.19.8.1-2
ii  intltool-debian   0.35.0+20060710.4
ii  libapt-pkg-perl   0.1.30
ii  libarchive-zip-perl   1.59-1
ii  libclass-accessor-perl0.34-1
ii  libclone-perl 0.38-2+b1
ii  libdpkg-perl  1.18.22
ii  libemail-valid-perl   1.202-1
ii  libfile-basedir-perl  0.07-1
ii  libipc-run-perl   0.94-1
ii  liblist-moreutils-perl0.416-1+b1
ii  libparse-debianchangelog-perl 1.2.0-12
ii  libperl5.24 [libdigest-sha-perl]  5.24.1-1
ii  libtext-levenshtein-perl  0.13-1
ii  libtimedate-perl  2.3000-2
ii  liburi-perl   1.71-1
ii  libyaml-libyaml-perl  0.63-2
ii  man-db2.7.6.1-2
ii  patchutils0.3.4-2
ii  perl  5.24.1-1
ii  t1utils   1.39-2
ii  xz-utils  5.2.2-1.2

Versions of packages lintian recommends:
ii  dpkg 1.18.22
ii  libperlio-gzip-perl  0.19-1+b2
ii  perl 5.24.1-1
ii  perl-modules-5.24 [libautodie-perl]  5.24.1-1

Versions of packages lintian suggests:
pn  binutils-multiarch 
ii  dpkg-dev   1.18.22
ii  libhtml-parser-perl3.72-3
pn  libtext-template-perl  

-- no debconf information