Bug#929429: marked as done (lintian: Check for concatenated repeated sigs in upstream signatures)

To: Chris Lamb <lamby@debian.org>
Subject: Bug#929429: marked as done (lintian: Check for concatenated repeated sigs in upstream signatures)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 19 Dec 2019 16:09:22 +0000
Message-id: <[🔎] handler.929429.D929429.157677148616143.ackdone@bugs.debian.org>
Reply-to: 929429@bugs.debian.org
References: <E1ihyI8-000COX-4B@fasolo.debian.org> <20190523104426.GB19332@gaara.hadrons.org>

Your message dated Thu, 19 Dec 2019 16:04:44 +0000
with message-id <E1ihyI8-000COX-4B@fasolo.debian.org>
and subject line Bug#929429: fixed in lintian 2.42.0
has caused the Debian Bug report #929429,
regarding lintian: Check for concatenated repeated sigs in upstream signatures
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
929429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929429
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: lintian: Please check for bogus upstream .asc files
From: Guillem Jover <guillem@debian.org>
Date: Thu, 23 May 2019 12:44:26 +0200
Message-id: <20190523104426.GB19332@gaara.hadrons.org>

Package: lintian
Version: 2.14.0
Severity: wishlist

Hi!

The mk-origtargz program from devscripts was producing bogus upstream
tarball .asc files. It would be nice if this could be warned, so that
people know this is the case and so that they have sufficient data to
decide whether to fix it right away or wait for the next version bump.

The problems vary in severity though:

  - Doubly armored files.
    Can be easily detected with the equivalent «grep -q ^LS0tLS1CRUd».
  - Bogus Armor Header Lines.
    Usage of /ARMORED FILE/ instead of /SIGNATURE/.
  - Superfluous Armor Fields.
    Presence of /^Version:/ and /^Comment:/.
  - There was also the possibility of concatenated repeated signatures.
    I'm not sure this has occurred in the Debian archive though, but
    uscan when invoked multiple times would produce this. It might be
    worth checking anyway, because even if this might not affect the
    Debian archive it might affect third party packaging.

Fixing this requires modifying one of the upstream source files, so it
cannot be done w/o bumping the version number. This is the equivalent
of a tarball repack, so something like +ds or similar needs to be added
to the upstream version string to be able to avoid collisions.

I sent a mail about all this to debian-devel some weeks ago:

  <https://lists.debian.org/debian-devel/2019/04/msg00459.html>

Thanks,
Guillem

--- End Message ---

--- Begin Message ---

To: 929429-close@bugs.debian.org
Subject: Bug#929429: fixed in lintian 2.42.0
From: Chris Lamb <lamby@debian.org>
Date: Thu, 19 Dec 2019 16:04:44 +0000
Message-id: <E1ihyI8-000COX-4B@fasolo.debian.org>

Source: lintian
Source-Version: 2.42.0

We believe that the bug you reported is fixed in the latest version of
lintian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929429@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated lintian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 19 Dec 2019 12:01:30 +0000
Source: lintian
Architecture: source
Version: 2.42.0
Distribution: unstable
Urgency: medium
Maintainer: Debian Lintian Maintainers <lintian-maint@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Closes: 33486 471537 546525 635068 796352 892127 907727 929429 929434 929435 929436 946471 946763
Changes:
 lintian (2.42.0) unstable; urgency=medium
 .
   [ Felix Lechner ]
   * Add new checks to identify and notify about issues in upstream
     signatures. (Closes: #929429, #929434, #929435, #929436)
   * Do not consider manpages from related packages when looking for
     manpages without executables. (Closes: #946471)
   * Add a new check for unsafe mailcap entries. (Closes: #33486)
   * Add new Fortran checks to validate module versions and
     prerequisites. (Closes: #796352)
   * Add new checks for empty upstream sources and for when repackaged
     sources are not properly advertised as such. (Closes: #471537)
   * Drop the source-contains-empty-directory tag as it was mostly ignored.
     (Closes: #907727)
   * Remove the bogus service-key-has-whitespace tag. (Closes: #946763)
   * Check TrueType and OpenType fonts for licensing terms.
     (Closes: #635068)
   * Allow "boolean false" directory components in link targets.
     (Closes: #892127)
   * Add a new tag for consistent maintainer fields between changes and
     source processables. (Closes: #546525)
   * Add a new no-dh-sequencer tag to be issued when the debhelper(7) dh(1)
     sequencer is not used.
 .
   [ Guido Günther ]
   * Update the PureOS distribution names in the "vendor" configuration.
 .
   [ Louis-Philippe Véronneau ]
   * Ensure proper VCS location for Debian Python Module Team and Debian
     Python Application Team packages.
Checksums-Sha1:
 f1ed7ac12129ac517705352c3ba1f19864fbc8c9 4101 lintian_2.42.0.dsc
 cdf18f0edfc99dcea694a1ec3c5d9c29fa10f5fd 1863732 lintian_2.42.0.tar.xz
 b4f494cbe36c00ec6986974a80eaa7c06edfa173 17093 lintian_2.42.0_amd64.buildinfo
Checksums-Sha256:
 64cecdede23147d2ed64b8be4d26719c5864566b198a54db9e86b0a51a83ba42 4101 lintian_2.42.0.dsc
 a7d87722f7655f02f52e9dacbe89a9d06f3e627477e4b1909788b721da303542 1863732 lintian_2.42.0.tar.xz
 55c5d539128db032156848094b13c6150fa475f3fd88b2b8261e68fd28808924 17093 lintian_2.42.0_amd64.buildinfo
Files:
 3d59d95528554e9a600f327b119ce7c3 4101 devel optional lintian_2.42.0.dsc
 b83304938a0cfea28ec954c8291590c0 1863732 devel optional lintian_2.42.0.tar.xz
 028b77ccc1cc789d2659bdd0cde6f362 17093 devel optional lintian_2.42.0_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl37nM4ACgkQHpU+J9Qx
Hlhptw/9EyvgZt+srER2fEKKQfNscJqrsm9k5phO/qODANWytmW4BNYfyURZ8XU0
4y/DKRuP9O5YfPJxBpdI208HZEPVqsApwCSHErSug2InCv6zRWRXGDO4ODsEs0bB
zDpg5VjnMh1ggXNdvWKrbTEi7nvsamcUuKVOgaU1AqH0CpgvTic0g9lBQ7bs191D
4FTEBuY0Y+Aa/rOuE1y9upPvM5a7c+8/qFT1Lua5zO1oWI6mIqCGPLglTs5TXczk
pvbETjDOJhABAEj8Cam9O340iDNYIFsW1RvN+nk+2p+HCHWN9a/7NbuXpubyjAZL
rDOf8zxVZ+V08+ivVz5kugIkgVnOqno7T1P1zHfsFNh2iwfhm0ZokGyLhaiB5iNm
yBI3Rv+Ms4iXtrbndUZdrvrUaxti6vxda2BKSXqWOMdZW2BMJku5/cd7iQ/0+gLA
lpOeIBf8YKl+jIL+KqPpE6LedUYjhEqqrgkrDpoLktHWalz9nMSXlCAeoL+WHG52
NhnrP0UpeRYqkKMGLQ5IsnR91XhaoFFkqKYu1MItWHvkZppPIc6s8W0nn+dmCzd0
g2hL3mtSJGQpmJp8/cFLq2KCtFNJY8DIaF0VyxPmDuFklc9SqD0/iUXm1j6yNlH3
7UXM7IzCv4ZtdwTEpZfZFwfOJXexo7NVwyjx+XKynRlEXUrOVF8=
=aGY/
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#892127: marked as done (lintian: package-has-unnecessary-activation-of-ldconfig-trigger false positives with symlinks)
Next by Date: Bug#929435: marked as done (lintian: Check for bogus armored header lines in upstream signatures)
Previous by thread: Bug#892127: marked as done (lintian: package-has-unnecessary-activation-of-ldconfig-trigger false positives with symlinks)
Next by thread: Bug#929435: marked as done (lintian: Check for bogus armored header lines in upstream signatures)
Index(es):
- Date
- Thread