Bug#892255: lintian: orig-tarball-missing-upstream-signature with signed .tar

2018-03-08 Thread Chris Lamb 
Hi Uwe,

> Note there are some dragons (from #debian-devel):

[…]

Thanks for the heads-up. Naturally, we can always revert this
commit and -- just in case -- it's not as if we are recommending
tar.asc anywhere in the documentation or the output.  :)


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#892255: lintian: orig-tarball-missing-upstream-signature with signed .tar

2018-03-08 Thread Uwe Kleine-König 
Hello Chris,

thanks for your quick action

On Thu, Mar 08, 2018 at 06:10:15AM +, Chris Lamb wrote:
> tags 892255 + pending
> thanks
> 
> Fixed in Git, pending upload:
> 
>   
> https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=d951d71b164f99c287c4e244eaa15f306e7cb703

Note there are some dragons (from #debian-devel):

1520499444 < Viiru> ukleinek: So upstream is providing multiple
different compressed files and only one signature or some such?
1520499454 < ukleinek> Viiru: ack
1520499460 < Viiru> ukleinek: Do note that this scheme assumes that your
decompressor is not an attack vector.
1520499484 < Viiru> (gpg itself is also obviously an attack vector, but
that is unavoidable)
1520499494 < jcristau> (and sigs for uncompressed tarballs seem like a
bad idea regardless)
1520499567 < Viiru> I'd suggest educating upstream instead of trying to
make this scheme work.

And with my addition of the .tar.asc I broke the upload processing.
(It's not yet entirely clear to me if I added the .tar.asc in a wrong
way or if it's mere presence was the problem.)

Best regards
Uwe


signature.asc
Description: PGP signature

Bug#892255: lintian: orig-tarball-missing-upstream-signature with signed .tar

2018-03-07 Thread Chris Lamb 
tags 892255 + pending
thanks

Fixed in Git, pending upload:

  
https://anonscm.debian.org/git/lintian/lintian.git/commit/?id=d951d71b164f99c287c4e244eaa15f306e7cb703


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#892255: lintian: orig-tarball-missing-upstream-signature with signed .tar

2018-03-07 Thread Uwe Kleine-König 
Package: lintian
Version: 2.5.78
Severity: normal

Hello,

uwe@taurus:~/debpkg/microcom$ xzcat microcom_2017.03.0.orig.tar.xz | gpg 
--verify microcom_2017.03.0.orig.tar.asc -
gpg: Signature made Tue 06 Mar 2018 02:21:38 PM CET
gpg:using RSA key 7E722A169018ACFF3E74A40BC1FC1478ADCAEC09
gpg: Good signature from "Uwe Kleine-König " [ultimate]
gpg: aka "Uwe Kleine-König " [ultimate]
gpg: aka "Uwe Kleine-König " [ultimate]
gpg: aka "Uwe Kleine-König " [ultimate]
gpg: aka "Uwe Kleine-König " 
[ultimate]
gpg: aka "Uwe Kleine-König " 
[ultimate]
Primary key fingerprint: 0D25 11F3 22BF AB1C 1580  266B E2DC DD91 3266 9BD6
 Subkey fingerprint: 7E72 2A16 9018 ACFF 3E74  A40B C1FC 1478 ADCA EC09
uwe@taurus:~/debpkg/microcom$ grep microcom_2017.03.0.orig.tar.asc 
microcom_2017.03.0-1_source.changes
 f26feeaf212c5be8fa203f2102ac68024ab4cda0010f0b84c8a4415fd9c6471d 310 
microcom_2017.03.0.orig.tar.asc
 bea45ee0c144df466f1340ea45771353e6aa5e49 310 microcom_2017.03.0.orig.tar.asc
 918dc12abfcb768c5563351a21b144f6 310 - - microcom_2017.03.0.orig.tar.asc
uwe@taurus:~/debpkg/microcom$ lintian microcom_2017.03.0-1_source.changes
W: microcom changes: orig-tarball-missing-upstream-signature 
microcom_2017.03.0.orig.tar.xz

It would be great if lintian considered a signature on the extracted
orig.tar that is shipped in the changes file.

This is (slightly) related to https://bugs.debian.org/882694 .

Best regards
Uwe

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (500, 'unstable-debug'), 
(500, 'stable'), (499, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lintian depends on:
ii  binutils  2.30-5
ii  bzip2 1.0.6-8.1
ii  diffstat  1.61-1+b1
ii  dpkg  1.19.0.5
ii  file  1:5.32-2
ii  gettext   0.19.8.1-4
ii  intltool-debian   0.35.0+20060710.4
ii  libapt-pkg-perl   0.1.33
ii  libarchive-zip-perl   1.60-1
ii  libclass-accessor-perl0.51-1
ii  libclone-perl 0.39-1
ii  libdpkg-perl  1.19.0.5
ii  libemail-valid-perl   1.202-1
ii  libfile-basedir-perl  0.07-1
ii  libipc-run-perl   0.96-1
ii  liblist-moreutils-perl0.416-1+b3
ii  libparse-debianchangelog-perl 1.2.0-12
ii  libperl5.26 [libdigest-sha-perl]  5.26.1-5
ii  libtext-levenshtein-perl  0.13-1
ii  libtimedate-perl  2.3000-2
ii  liburi-perl   1.73-1
ii  libxml-simple-perl2.24-1
ii  libyaml-libyaml-perl  0.69+repack-1
ii  man-db2.8.2-1
ii  patchutils0.3.4-2
ii  perl  5.26.1-5
ii  t1utils   1.41-2
ii  xz-utils  5.2.2-1.3

Versions of packages lintian recommends:
ii  libperlio-gzip-perl  0.19-1+b4

Versions of packages lintian suggests:
ii  binutils-multiarch 2.30-5
ii  dpkg-dev   1.19.0.5
ii  libhtml-parser-perl3.72-3+b2
ii  libtext-template-perl  1.47-1

-- no debconf information