Bug#870069: orig-tarball-missing-upstream-signature error breaks rebuilding existing packages and more
I second the request that this lintian check just be a warning, not an error.
Please also accept binary signature files--and I realize more than
just lintian will have to change to support that. The GNU Project's
files are signed with "gpg -b" to produce a binary ".sig" file for
uploading to ftp.gnu.org. That site is the natural upstream
repository for the bulk of GNU Project packages, and the ".sig" files
on that site should be the canonical signatures for those packages.
That would allow one master signature file for a package--the binary
".sig" file that I and other GNU Project maintainers upload to GNU's
FTP site along with a package.
Now that lintian is throwing an error if a ".orig.tar.gz.asc" file is
missing, addressing this change is more important. I realize that
packaging tools will also need to recognize and use a ".sig" file as
an alternative to a ".asc" file. Multiple applications can create
packages, so multiple bug reports might be necessary to make that
change.
In my case, I am using pdebuild. It did not recognize a ".sig" file
that I created for a ".orig.tar.gz" file (I just tried after getting
the lintian error). Running a command of the form "gpg --verify
mypkg_orig.tar.gz.sig" sees that the signature is valid for the
tarball.
In the meantime, will anyone object to our using a lintian override for this?
Thanks,
Paul Hardy
Reply to: