Debian Bug report logs - #10253
dpkg-dev: dpkg-buildpackage signs using the value for Maintainer:

Package: dpkg; Maintainer for dpkg is Dpkg Developers <debian-dpkg@lists.debian.org>; Source for dpkg is src:dpkg (PTS, buildd, popcon).

Reported by: Herbert Xu <herbert@greathan.apana.org.au>

Date: Sun, 1 Jun 1997 01:03:01 UTC

Severity: normal

Done: Anthony Towns <ajt@master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>:
Bug#10253; Package dpkg-dev. (full text, mbox, link).

Acknowledgement sent to Herbert Xu <herbert@greathan.apana.org.au>:
New bug report received and forwarded. Copy sent to Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Herbert Xu <herbert@greathan.apana.org.au>
To: submit@bugs.debian.org
Subject: dpkg-dev: dpkg-buildpackage signs using the value for Maintainer:
Date: Sun, 1 Jun 1997 10:55:24 +1000
Package: dpkg-dev
Version: 1.4.0.17

This causes a lot of trouble for me since my pgp key includes my own email
address which differs from the one in Maintainer.  Previous versions of
dpkg-dev did not do this.  There should be an option to either revert to the
old behaviour or to specify the key to use.

-- System Information
Debian Release: 1.3
Kernel Version: Linux greathan 2.0.29 #1 Wed Apr 9 08:02:37 EST 1997 i586 unknown

Information forwarded to debian-bugs-dist@lists.debian.org, Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>:
Bug#10253; Package dpkg-dev. (full text, mbox, link).

Acknowledgement sent to "Christian Hudon" <chudon@ee.mcgill.ca>:
Extra info received and forwarded to list. Copy sent to Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>. (full text, mbox, link).

Message #10 received at 10253@bugs.debian.org (full text, mbox, reply):

From: "Christian Hudon" <chudon@ee.mcgill.ca>
To: Herbert Xu <herbert@greathan.apana.org.au>, 10253@bugs.debian.org
Subject: Re: Bug#10253: dpkg-dev: dpkg-buildpackage signs using the value for Maintainer:
Date: Sun, 1 Jun 1997 00:55:18 +0000
[Message part 1 (text/plain, inline)]
On Jun 1, Herbert Xu wrote
> Package: dpkg-dev
> Version: 1.4.0.17
> 
> This causes a lot of trouble for me since my pgp key includes my own email
> address which differs from the one in Maintainer.  Previous versions of
> dpkg-dev did not do this.  There should be an option to either revert to the
> old behaviour or to specify the key to use.

You can have more than one email address attached to a given key. Why don't
you just add your Debian email address to your private key?

  Christian


[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>:
Bug#10253; Package dpkg-dev. (full text, mbox, link).

Acknowledgement sent to Roman.Hodek@informatik.uni-erlangen.de:
Extra info received and forwarded to list. Copy sent to Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>. (full text, mbox, link).

Message #15 received at 10253@bugs.debian.org (full text, mbox, reply):

From: Roman Hodek <rnhodek@faui22c.informatik.uni-erlangen.de>
To: 10253@bugs.debian.org
Subject: Re: Bug#10253: dpkg-dev: dpkg-buildpackage signs using the value for Maintainer:
Date: Wed, 18 Jun 1997 17:03:27 +0200
> > This causes a lot of trouble for me since my pgp key includes my
> own email > address which differs from the one in Maintainer.
> Previous versions of > dpkg-dev did not do this. There should be an
> option to either revert to the > old behaviour or to specify the key
> to use.
> 
> You can have more than one email address attached to a given key.
> Why don't you just add your Debian email address to your private
> key?

I also have problem with this behaviour: If someone compiles packages
for another architecture (binary only), he now has to use the -m
option to get the .changes signed. Otherwise, dpkg-buildpackage tries
to sign with the key of the original maintainer, for which the one who
compiles probably doesn't have the secret key...

But this has the side effect that also dpkg-genchanges now uses the
address of the binary-only uploader in the .changes file in the
Maintainer: field, which is incorrect.

I strongly suggest to use two different option for the real maintainer
address and the pgp key selector to fix this. And if the pgp key name
is initialized with the maintainer address from the changelog (as it
currently is), it would also be nice if one can reset the name to pass
to pgp after -u can be empty. This way you still get the default
behaviour of pgp to sign with the last private key.

My preferred behaviour would be to pass -u to pgp only if some special
option is given. I guess not many people really need it...

Roman

Information forwarded to debian-bugs-dist@lists.debian.org, Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>:
Bug#10253; Package dpkg-dev. (full text, mbox, link).

Acknowledgement sent to James Troup <J.J.Troup@comp.brad.ac.uk>:
Extra info received and forwarded to list. Copy sent to Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>. (full text, mbox, link).

Message #20 received at 10253@bugs.debian.org (full text, mbox, reply):

From: James Troup <J.J.Troup@comp.brad.ac.uk>
To: Roman.Hodek@informatik.uni-erlangen.de, 10253@bugs.debian.org
Subject: Re: Bug#10253: dpkg-dev: dpkg-buildpackage signs using the value for Maintainer:
Date: 21 Jun 1997 12:24:03 +0100
Roman Hodek <rnhodek@faui22c.informatik.uni-erlangen.de> writes:

> I also have problem with this behaviour: If someone compiles
> packages for another architecture (binary only), he now has to use
> the -m option to get the .changes signed. Otherwise,
> dpkg-buildpackage tries to sign with the key of the original
> maintainer, for which the one who compiles probably doesn't have the
> secret key...
> 
> But this has the side effect that also dpkg-genchanges now uses the
> address of the binary-only uploader in the .changes file in the
> Maintainer: field, which is incorrect.

Actually, IMO, this is debatable.  When I started building packages
for m68k, I wasn't pgp signing them, but I was using the -m option to
dpkg-buildpackge|dpkg-genchanges, because otherwise any installer
rejections of an upload get sent to the real maintainer and not the
arch-specific builder.  Before I started doing this some very confused
i386 maintainers were sent mail about my rejected m68k upload of their
package.

I don't think the Maintainer: field in the .changes file should be set
to the real maintainer, not unless the install process is improved
(somehow) to avoid the situation I described above.

-- 
James

Information forwarded to debian-bugs-dist@lists.debian.org, Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>:
Bug#10253; Package dpkg-dev. (full text, mbox, link).

Acknowledgement sent to Roman.Hodek@informatik.uni-erlangen.de:
Extra info received and forwarded to list. Copy sent to Klee Dienes and Ian Jackson <dpkg-maint@chiark.greenend.org.uk>. (full text, mbox, link).

Message #25 received at 10253@bugs.debian.org (full text, mbox, reply):

From: Roman Hodek <rnhodek@faui22c.informatik.uni-erlangen.de>
To: J.J.Troup@comp.brad.ac.uk, 10253@bugs.debian.org
Subject: Re: Bug#10253: dpkg-dev: dpkg-buildpackage signs using the value for Maintainer:
Date: Mon, 23 Jun 1997 10:11:19 +0200
James> Actually, IMO, this is debatable. When I started building
James> packages for m68k, I wasn't pgp signing them, but I was using
James> the -m option to dpkg-buildpackge|dpkg-genchanges, because
James> otherwise any installer rejections of an upload get sent to the
James> real maintainer and not the arch-specific builder. Before I
James> started doing this some very confused i386 maintainers were
James> sent mail about my rejected m68k upload of their package.
James> 
James> I don't think the Maintainer: field in the .changes file should
James> be set to the real maintainer, not unless the install process
James> is improved (somehow) to avoid the situation I described above.

Hmm... I see your point. Since the installer script uses the value of
the Maintainer: field for replies, it more seems like a misnomer...
should be Uploader: or something like that. (The real maintainer can
easily be extracted from the .deb or somewhere else.)

Roman

Bug reassigned from package `dpkg-dev' to `dpkg-iwj'. Request was from Wichert Akkerman <wichert@cs.leidenuniv.nl> to control@bugs.debian.org. (full text, mbox, link).

Bug reassigned from package `dpkg-iwj' to `dpkg'. Request was from Anthony Towns <ajt@master.debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug closed, ack sent to submitter - they'd better know why ! Request was from Anthony Towns <ajt@master.debian.org> to control@bugs.debian.org. (full text, mbox, link).

Bug reassigned from package `dpkg' to `dpkg'. Request was from Anthony Towns <ajt@master.debian.org> to control@bugs.debian.org. (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 26 22:51:13 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.