Re: tarball signatures in source packages and jessie

To: debian-dpkg@lists.debian.org
Subject: Re: tarball signatures in source packages and jessie
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 21 May 2016 00:17:25 +0200
Message-id: <[🔎] 20160520221725.GU2718@betterave.cristau.org>
In-reply-to: <[🔎] 20160520174719.GA8991@gaara.hadrons.org>
References: <[🔎] 20160520111237.GR2718@betterave.cristau.org> <[🔎] 20160520174719.GA8991@gaara.hadrons.org>

On Fri, May 20, 2016 at 19:47:19 +0200, Guillem Jover wrote:

> Hi!
> 
> On Fri, 2016-05-20 at 13:12:37 +0200, Julien Cristau wrote:
> > dpkg-source in sid now picks up orig.tar.gz.asc files and lists them in
> > the source package.  Unfortunately dpkg-source in jessie then explodes
> > on such source packages because it doesn't know what to do with them.
> 
> Actually this only happens for version 1.0 format. Formats >= 2.0
> should be handled correctly in stable.
> 
> > Arguably that would have called for a minor version bump, but in the
> > interest of allowing these files in the archive, would it make sense to
> > cherry-pick
> > http://anonscm.debian.org/git/dpkg/dpkg.git/commit/?id=d01212f2d7e59fc713c66b5d60421ac2296c1463
> > to jessie's dpkg?
> 
> Actually I don't think signatures for 1.0 format should be allowed in
> the archive yet. And that's why I filed #823190 before the dpkg
> upload so that they would get rejected by lintian. But, I guess that
> was really the wrong way to go about it, and I'll just claim temporary
> dementia due to eagerness to get this out of the way. O:)
> 
> Given that I don't see any 1.0 format sources in the archive just yet
> (hope nothing gets uploaded in the interim!):
> 
>  $ egrep -h '^ [0-9a-f]{32} .*\.asc$' /var/lib/apt/lists/*_Sources
>  813d2cdfd10a02a43f3d8f1aeef1fcec 819 libbsd_0.8.3.orig.tar.xz.asc
>  d5cda03b1180452d72df0e096158a40f 173 vlc_2.2.3.orig.tar.xz.asc
> 
There can't be any, because they'd get rejected by dak:
- until today, with something like
  https://lists.debian.org/debian-x/2016/05/msg00160.html
- now, with a dpkg-source error:
  https://lists.debian.org/debian-x/2016/05/msg00168.html

(I attempted to fix the first reject with
http://anonscm.debian.org/git/mirror/dak.git/commit/?id=ac7962e07a871d2619b475c54f6be2b3a79616ee
which only managed to show the second error; I've now got a patch at
http://anonscm.debian.org/cgit/users/jcristau/dak.git/commit/?h=formatone-no-tar-sig
to properly reject 1.0 source packages with orig.tar.gz.asc)

> I'll just disable picking up tarball signatures for 1.0 format for
> now in the next upload, which I'll try to rush out during the weekend.
> 
OK, thanks.

Cheers,
Julien

Reply to:

Follow-Ups:
- Re: tarball signatures in source packages and jessie
  - From: Guillem Jover <guillem@debian.org>

References:
- tarball signatures in source packages and jessie
  - From: Julien Cristau <jcristau@debian.org>
- Re: tarball signatures in source packages and jessie
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: Re: tarball signatures in source packages and jessie
Next by Date: Re: tarball signatures in source packages and jessie
Previous by thread: Re: tarball signatures in source packages and jessie
Next by thread: Re: tarball signatures in source packages and jessie
Index(es):
- Date
- Thread