Debian Bug report logs - #447955
[debsign] Add "always resign" variable

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>

To: Debian Bugs <submit@bugs.debian.org>

Subject: Add "always resign" variable

Date: Wed, 24 Oct 2007 15:54:38 -0700

[Message part 1 (text/plain, inline)]

Package: devscripts
Version: 2.10.9
Severity: normal
Tags: patch

When doing lots of "debsign -k" sponsorship work, I have found it
annoying to be prompted for "Would you like to use the current
signature? [Yn]".  This patch adds knowledge of the "DEBSIGN_ALWAYS_RESIGN"
environment variable.  If set, it will skip the question, and resign
without confirmation.

-- 
Kees Cook                                            @outflux.net

[devscripts-debsign-always-resign.patch (text/x-diff, attachment)]

Message #12 received at 447955@bugs.debian.org (full text, mbox, reply):

From: Mohammed Adnène Trojette <adn+deb@diwi.org>

To: Kees Cook <kees@outflux.net>, 447955@bugs.debian.org

Subject: Re: Bug#447955: Add "always resign" variable

Date: Thu, 25 Oct 2007 08:16:18 +0200

On Wed, Oct 24, 2007, Kees Cook wrote:
> When doing lots of "debsign -k" sponsorship work, I have found it
> annoying to be prompted for "Would you like to use the current
> signature? [Yn]".  This patch adds knowledge of the "DEBSIGN_ALWAYS_RESIGN"
> environment variable.  If set, it will skip the question, and resign
> without confirmation.

I am not sure I understand. Are you resigning over your own signature or
your sponsoree's?

-- 
Mohammed Adnène Trojette

Message #17 received at 447955@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>

To: Mohammed Adnène Trojette <adn+deb@diwi.org>

Cc: 447955@bugs.debian.org

Subject: Re: Bug#447955: Add "always resign" variable

Date: Thu, 25 Oct 2007 09:36:25 -0700

Hi,

On Thu, Oct 25, 2007 at 08:16:18AM +0200, Mohammed Adnène Trojette wrote:
> I am not sure I understand. Are you resigning over your own signature or
> your sponsoree's?

This is when I'm signing over my sponsoree's.  Many of their build
practices include signing packages (it is good practice for their
eventual self-uploading).  This comes up most of all when I'm doing
sponsored security updates.

Thanks,

-Keees

-- 
Kees Cook                                            @outflux.net

Message #22 received at 447955@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: 447955@bugs.debian.org

Cc: Mohammed Adnène Trojette <adn+deb@diwi.org>

Subject: Re: Bug#447955: Add "always resign" variable

Date: Thu, 25 Oct 2007 19:05:16 +0200

Kees Cook wrote:
> Hi,
> 
> On Thu, Oct 25, 2007 at 08:16:18AM +0200, Mohammed Adnène Trojette wrote:
>> I am not sure I understand. Are you resigning over your own signature or
>> your sponsoree's?
> 
> This is when I'm signing over my sponsoree's.  Many of their build
> practices include signing packages (it is good practice for their
> eventual self-uploading).  This comes up most of all when I'm doing
> sponsored security updates.

Do you trust their binaries? If so I hope you do check them thoroughly...

Cheers

Luk

Message #27 received at 447955@bugs.debian.org (full text, mbox, reply):

From: Mohammed Adnène Trojette <adn+deb@diwi.org>

To: Kees Cook <kees@outflux.net>, 447955@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#447955: Add "always resign" variable

Date: Tue, 18 Dec 2007 00:11:24 +0100

tag 447955 wontfix
thanks

On Thu, Oct 25, 2007, Kees Cook wrote:
> This is when I'm signing over my sponsoree's.  Many of their build
> practices include signing packages (it is good practice for their
> eventual self-uploading).  This comes up most of all when I'm doing
> sponsored security updates.

I really see signing over a sponsoree's signature a bad practice. The
only use case I see is myself signing with a second key which is not in
the keyring and wanting to re-sign over it.

But I like being warned when a file I am signing has already been
signed.

So I won't fix this bug and I am tagging it accordingly.

You may also convince me I am wrong and I'll be happy to correct the
current behaviour. :-)

-- 
Mohammed Adnène Trojette

Message #34 received at 447955@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>

To: Mohammed Adnène Trojette <adn+deb@diwi.org>

Cc: 447955@bugs.debian.org

Subject: Re: Bug#447955: Add "always resign" variable

Date: Mon, 17 Dec 2007 15:44:57 -0800

Hi,

On Tue, Dec 18, 2007 at 12:11:24AM +0100, Mohammed Adnène Trojette wrote:
> On Thu, Oct 25, 2007, Kees Cook wrote:
> > This is when I'm signing over my sponsoree's.  Many of their build
> > practices include signing packages (it is good practice for their
> > eventual self-uploading).  This comes up most of all when I'm doing
> > sponsored security updates.
> 
> I really see signing over a sponsoree's signature a bad practice. The
> only use case I see is myself signing with a second key which is not in
> the keyring and wanting to re-sign over it.

Right -- that's exactly the use-case I mean.  When I'm sponsoring
someone, I already have their key in my keyring (and as such I can
verify the integrity of their dsc/diff.gz/changes), but I need to resign
the changes/dsc with my own key so the upload would be accepted.

> You may also convince me I am wrong and I'll be happy to correct the
> current behaviour. :-)

No problem -- it's your call.  :)  I would like to see it implemented,
though, which is why I made it an optional variable -- by default it
continues to behave as before.

Thanks!

-Kees

-- 
Kees Cook                                            @outflux.net

Message #43 received at 447955@bugs.debian.org (full text, mbox, reply):

From: Loïc Minier <lool@dooz.org>

To: 44795@bugs.debian.org

Subject: I'd also find this useful

Date: Wed, 16 Apr 2008 18:35:44 +0200

        Hi,

 It happens to me from time to time that I have to resign .changes files
 where I fixed md5s manually, or resigning .changes which wasn't signed
 because pbuilder failed locating the proper file etc.  I hate the
 confirmation prompts asking me whether I want to replace the signature,
 and I'd be happy to use this option (which I just discovered about).

   Thanks,
-- 
Loïc Minier

Message #48 received at 447955@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin@piware.de>

To: Mohammed Adnène Trojette <adn+deb@diwi.org>, 447955@bugs.debian.org

Subject: Re: Bug#447955: Add "always resign" variable

Date: Wed, 5 Nov 2008 10:44:50 +0100

Mohammed Adnène Trojette [2007-12-18  0:11 +0100]:
> I really see signing over a sponsoree's signature a bad practice. 

Bad practice? It's the standard way to do sponsoring (see DR 7.5.2).

Maybe the confusion arises because in Debian we do binaryful uploads
(which I hate, but it has been argued about many times), whereas in
Ubuntu we do source-only uploads. The latter can be checked with
debdiff, without rebuilding the package, and for those cases this
option is very useful.

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Message #51 received at 447955@bugs.debian.org (full text, mbox, reply):

From: Carsten Hey <carsten@debian.org>

To: 580821@bugs.debian.org, 447955@bugs.debian.org

Subject: debsign: relation between #447955 (DEBSIGN_ALWAYS_RESIGN) and #580821 (--always-resign)

Date: Thu, 29 Jul 2010 01:01:55 +0200

Hi,

you wondered about how #580821 relates to #447955 but did not have time
to check.

#447955 is about a DEBSIGN_ALWAYS_RESIGN variable, #580821 is about an
equivalent --always-resign option and about a --never-resign option.  Actually
they are named --{no-,}-re-sign in the current patch, I could send an
additional patch if you prefer --{always,never}-resign.

The explanation why #447955 is tagged wontfix is based on Mohammed's wish to
see a warning if he signs an already signed file and thus IMHO only applies to
variables changing the default behaviour, but do not apply to options that are
explicitly specified on the commandline.


Carsten

Message #56 received at 447955-submitter@bugs.debian.org (full text, mbox, reply):

From: Benjamin Drung <bdrung@ubuntu.com>

To: 447955-submitter@bugs.debian.org

Subject: Bug#447955 marked as pending

Date: Tue, 24 May 2011 10:22:27 +0000

tag 447955 pending
thanks

Hello,

Bug #447955 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=devscripts/devscripts.git;a=commitdiff;h=b6f7a3b

---
commit b6f7a3beaaecfeb0e3ba0b6b63148ec27c824335
Author: Benjamin Drung <bdrung@ubuntu.com>
Date:   Tue May 24 12:22:16 2011 +0200

    debsign: Implement DEBSIGN_ALWAYS_RESIGN variable to skip the "Would you like to use the current signature?" question.
    
    Closes: #447955

diff --git a/debian/changelog b/debian/changelog
index 959a88e..7e5bb82 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -19,11 +19,13 @@ devscripts (2.10.74) UNRELEASED; urgency=low
   * debchange, uupdate: Use dpkg-vendor instead of lsb_release.
   * Merge from Ubuntu:
     + debuild: Enforce Ubuntu merge policy.
+    + debsign: Implement DEBSIGN_ALWAYS_RESIGN variable to skip the
+      "Would you like to use the current signature?" question. (Closes: #447955)
 
   [ David Prévot ]
   * Partial manual pages convention review (Closes: #626015).
 
- -- Benjamin Drung <bdrung@debian.org>  Tue, 24 May 2011 12:09:19 +0200
+ -- Benjamin Drung <bdrung@debian.org>  Tue, 24 May 2011 12:21:48 +0200
 
 devscripts (2.10.73) unstable; urgency=low
 

Message #61 received at 447955-close@bugs.debian.org (full text, mbox, reply):

From: James Vega <jamessan@debian.org>

To: 447955-close@bugs.debian.org

Subject: Bug#447955: fixed in devscripts 2.11.0

Date: Wed, 25 May 2011 07:15:54 +0000

Source: devscripts
Source-Version: 2.11.0

We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive:

devscripts_2.11.0.dsc
  to main/d/devscripts/devscripts_2.11.0.dsc
devscripts_2.11.0.tar.gz
  to main/d/devscripts/devscripts_2.11.0.tar.gz
devscripts_2.11.0_i386.deb
  to main/d/devscripts/devscripts_2.11.0_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 447955@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Vega <jamessan@debian.org> (supplier of updated devscripts package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 24 May 2011 23:55:36 -0400
Source: devscripts
Binary: devscripts
Architecture: source i386
Version: 2.11.0
Distribution: unstable
Urgency: low
Maintainer: James Vega <jamessan@debian.org>
Description: 
 devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 447955 502525 568481 596245 626015 627030 627824
Changes: 
 devscripts (2.11.0) unstable; urgency=low
 .
   [ James Vega ]
   * getbuildlog:
     + Query the updated build log status pages.
     + Request the raw log file when downloading.
   * debcheckout: Use the destination directory, not package name, when
     checking for where the checkout happened.  (Closes: #627030)
   * Merge from Ubuntu:
     + dscverify: Use Ubuntu keyrings if on an Ubuntu-based system.
     + rmadison: Use Ubuntu's rmadison instance on Ubuntu.
   * namecheck: Update Alioth's "unknown project" pattern.  Thanks to Nelson A.
     de Oliveira for the patch.  (Closes: #627824)
   * Add lintian overrides for the ldconfig calls dh adds to post{inst,rm}.
 .
   [ Benjamin Drung ]
   * Move add-patch, edit-patch, suspicious-source, what-patch, and wrap-and-sort
     from ubuntu-dev-tools into devscripts (Closes: #568481).
   * Remove EOL whitespaces (Closes: #502525).
   * dget.1: Mention `debcheckout` under `SEE ALSO`. Thanks to Paul Menzel for
     the patch. (Closes: #596245)
   * debchange, uupdate: Use dpkg-vendor instead of lsb_release.
   * Merge from Ubuntu:
     + debuild: Enforce Ubuntu merge policy.
     + debsign: Implement DEBSIGN_ALWAYS_RESIGN variable to skip the
       "Would you like to use the current signature?" question. (Closes: #447955)
   * Add test infrastructure.
 .
   [ David Prévot ]
   * Partial manual pages convention review (Closes: #626015).
Checksums-Sha1: 
 d389ecc14f8b7d992ea7c7d4236819f30b3b0e43 1564 devscripts_2.11.0.dsc
 f07f1f3aa6c78cae1098c76cbbe8b51113817f59 758806 devscripts_2.11.0.tar.gz
 c0199c039ac23d388396fe015633eb54c93d3193 681162 devscripts_2.11.0_i386.deb
Checksums-Sha256: 
 a9bffc9d04ee3a33a5203d6d7c8c5ac05eda2f57e6b55f660399ac293f82f215 1564 devscripts_2.11.0.dsc
 4fbcff10e35da12f2efdbe82388566162c223abca7eba19d6d752440269c93ac 758806 devscripts_2.11.0.tar.gz
 9bf2b082f66b26eeb689cda0f7649bc229f11ee336fe59cdc930fe3680cc3941 681162 devscripts_2.11.0_i386.deb
Files: 
 13048caf82838014faf2bdfca0e9657a 1564 devel optional devscripts_2.11.0.dsc
 2687a8b5986233b29e84fdeca9a10097 758806 devel optional devscripts_2.11.0.tar.gz
 963dacbb59c2f6c1b54ca7a31120b35a 681162 devel optional devscripts_2.11.0_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk3cf4AACgkQDb3UpmEybUBU6ACeJ/dthk3jSnkV6b0QJ1NjelTc
akoAnRF6bXHPzfnhAycsr/jw8epqLZyN
=ZRcf
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.