Debian Bug report logs - #732449
devscripts: uscan should check for likely URLs for upstream cryptographic signatures

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: devscripts: uscan should check for likely URLs for upstream cryptographic signatures

Date: Wed, 18 Dec 2013 02:24:27 -0500

[Message part 1 (text/plain, inline)]

Package: devscripts
Version: 2.13.8
Severity: normal
Tags: patch

now that pgpsigurlmangle is available, it would be nice to remind
package maintainers if upstream is offering something that looks like
a cryptographic signature.

the attached patch implements such a check.

    --dkg

-- Package-specific info:

--- /etc/devscripts.conf ---

--- ~/.devscripts ---
Not present

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages devscripts depends on:
ii  dpkg-dev     1.16.12
ii  libc6        2.17-97
ii  perl         5.18.1-5
ii  python3      3.3.2-17
pn  python3:any  <none>

Versions of packages devscripts recommends:
ii  at                          3.1.14-1
ii  curl                        7.33.0-1
ii  dctrl-tools                 2.23
ii  debian-keyring              2013.12.13
ii  dput-ng [dput]              1.7
ii  dupload                     2.7.0
pn  equivs                      <none>
ii  fakeroot                    1.18.4-2
ii  gnupg                       1.4.15-1.1
ii  libdistro-info-perl         0.11
ii  libencode-locale-perl       1.03-1
ii  libjson-perl                2.61-1
ii  liblwp-protocol-https-perl  6.04-2
ii  libparse-debcontrol-perl    2.005-4
pn  libsoap-lite-perl           <none>
ii  liburi-perl                 1.60-1
ii  libwww-perl                 6.05-2
ii  lintian                     2.5.20
ii  man-db                      2.6.5-2
ii  patch                       2.7.1-4
ii  patchutils                  0.3.2-3
ii  python3-debian              0.1.21+nmu2
pn  python3-magic               <none>
ii  sensible-utils              0.0.9
ii  strace                      4.5.20-2.3
ii  unzip                       6.0-10
ii  wdiff                       1.2.1-1
ii  wget                        1.14-5
ii  xz-utils                    5.1.1alpha+20120614-2

Versions of packages devscripts suggests:
ii  build-essential              11.6
pn  cvs-buildpackage             <none>
ii  devscripts-el                35.8
pn  gnuplot                      <none>
ii  gpgv                         1.4.15-1.1
ii  heirloom-mailx [mailx]       12.5-2
pn  libauthen-sasl-perl          <none>
pn  libfile-desktopentry-perl    <none>
ii  libnet-smtp-ssl-perl         1.01-3
pn  libterm-size-perl            <none>
ii  libtimedate-perl             2.3000-1
pn  libyaml-syck-perl            <none>
ii  mailutils [mailx]            1:2.99.98-1.1
pn  mutt                         <none>
ii  openssh-client [ssh-client]  1:6.4p1-1
ii  svn-buildpackage             0.8.5
pn  w3m                          <none>

-- debconf-show failed

[uscan-look-for-signature.diff (text/x-diff, attachment)]

Message #10 received at 732449-submitter@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>

To: 732449-submitter@bugs.debian.org

Subject: Bug#732449 marked as pending

Date: Thu, 08 May 2014 12:02:00 +0000

tag 732449 pending
thanks

Hello,

Bug #732449 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/devscripts.git;a=commitdiff;h=663fd42

---
commit 663fd42238ef75d1e6ba0735164fbbcf6f861f76
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date:   Thu May 8 19:54:10 2014 +0800

    uscan: check for likely upstream signatures if none are known (Closes: #732449)
    
    Make uscan try to fetch the usual suffixes (.asc, .gpg, .pgp, .sig)
    appended to the tarball URL to see if we can find a likely-looking
    cryptographic signature.
    
    If one is found, uscan suggests that the package maintainer to investigate
    it and encourage them set up future checks.

diff --git a/debian/changelog b/debian/changelog
index b81e48f..88784ad 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,9 @@ devscripts (2.14.2) UNRELEASED; urgency=medium
   * Use HTTPS for the buildd logs to avoid a redirect
   * Fix scraping of the wnpp web pages due to https links
 
+  [ Daniel Kahn Gillmor ]
+  * uscan: check for likely upstream signatures if none are known (Closes: #732449)
+
   [ Cyril Brulebois ]
   * deb-reversion: Add support for udebs.  (Closes: #739437)
 

Message #15 received at 732449-close@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>

To: 732449-close@bugs.debian.org

Subject: Bug#732449: fixed in devscripts 2.14.2

Date: Sun, 11 May 2014 18:33:32 +0000

Source: devscripts
Source-Version: 2.14.2

We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 732449@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated devscripts package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 11 May 2014 13:15:22 -0400
Source: devscripts
Binary: devscripts
Architecture: source amd64
Version: 2.14.2
Distribution: unstable
Urgency: medium
Maintainer: Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Description: 
 devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 730768 732449 736798 739437 741040 743462 744320 745565 746612
Changes: 
 devscripts (2.14.2) unstable; urgency=medium
 .
   [ Jakub Wilk ]
   * sadt:
     + Add support for @builddeps@ in tests' Depends.  (Closes: #736798)
 .
   [ Benjamin Drung ]
   * Bump Standard-Version to 3.9.5.
   * Wrap long line in extended description.
 .
   [ Paul Wise ]
   * Use HTTPS for the buildd logs to avoid a redirect
   * Fix scraping of the wnpp web pages due to https links
 .
   [ Daniel Kahn Gillmor ]
   * uscan: check for likely upstream signatures if none are known (Closes:
     #732449)
 .
   [ Cyril Brulebois ]
   * deb-reversion: Add support for udebs.  (Closes: #739437)
 .
   [ Gunnar Wolf ]
   * debcommit: Add switch+conf.setting allowing to specify Git to sign
     every single commit (Closes: #741040)
 .
   [ James McCoy ]
   * debcommit: Add hg and bzr support to DEBCOMMIT_SIGN_COMMITS.
   * mk-build-deps: Uninstall the build-dep packages if apt isn't able to
     complete their install.  (Closes: #743462)
   * dpkg-depcheck: Convert relative paths to absolute before filtering, so
     filters properly match the path.  Thanks to William King for the patch.
     (Closes: #744320)
   * debchange:
     + Document the default urgency is medium.  Thanks to Anders Kaseorg for
       the patch.  (Closes: #745565)
     + Add “binary-only=yes” to binNMU changelog stanzas.  Thanks to Thorsten
       Glaser for the patch.  (Closes: #746612)
 .
   [ Andreas Tille ]
   * uscan: Allow a different compression scheme when repacking upstream
     tarballs.  (Closes: #730768)
 .
   [ Antonio Terceiro ]
   * debi/debc: always try ../build-area/ when the changes file is not found
     under ../ (even when not using svn)
 .
   [ Joachim Breitner ]
   * mk-origtargz: New script to rename (or symlink or copy) a downloaded
     upstream tarball to the correct name, possibly changing the compression
     scheme and removing files listed in debian/copyright's Excluded-Files.
     This is now also used by uscan, where most of the code comes from.
Checksums-Sha1: 
 b4a02bed3a2bae199de3436e0133be843b4aba25 2273 devscripts_2.14.2.dsc
 b6f2fbc3c2824f9c9f0f92672f1367fdf8dc45ef 594996 devscripts_2.14.2.tar.xz
 d9a2b7871b038c4b34a8f314f4acec1672df50fa 886456 devscripts_2.14.2_amd64.deb
Checksums-Sha256: 
 905ba4e307104fd83f7bfe43f06c31ecebdcd441fd71244afa20909b91101e78 2273 devscripts_2.14.2.dsc
 d225d00b7f5a83c9644b3d0e3d9d763ec9cb2b362f2541f4d3ac21785c909018 594996 devscripts_2.14.2.tar.xz
 a4b130440049d6c3d1778a1e8793fda31a35fc33b77cd4ea024f0a1bbec28bad 886456 devscripts_2.14.2_amd64.deb
Files: 
 463b4779401259dafb89a15e72c27f96 886456 devel optional devscripts_2.14.2_amd64.deb
 c1465b08a99a0c88c13febd593fbf77e 2273 devel optional devscripts_2.14.2.dsc
 f461aa83b46fdc1cc26e906ac31d1a62 594996 devel optional devscripts_2.14.2.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJTb8ELXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5MUJGQkY0RDY5NTZCRDVERjdCNzJEMjNE
RkU2OTFBRTMzMUJBM0RCAAoJEN/mka4zG6PbDE4P/1bEtWbP4mkA7o3GZVrxwFt1
8ROmny8B0XwYh3mHjzmpkrrrfJUxgOOp4eqvRS+Bw3aykxxUNw8JaslCjt0QJJSu
W2EoS6ikKS8ZAqB1XMhKSP8qG4BS0Hr+9wuuz6F4I+Qg9KSlS6IJ8g0loijY1ZjO
f0Sum5l6nFUrl3Fs8+h8ZIltslV2D9Fw2YrxFvUXFrgXum0Mz7bBFEBJYfd3tQgU
/x+7jjrm1eTGsJ5CJDX3m6HJczWIwmYTWaZmx+W8LNAVCzs7TgkUOjK28w4S5S2V
7kcQ9UuYLIHHYqVZsugmklkKGHC7M/cSrWIV29aGwD63l2WaNnbb/oE9S7JoQ92h
A3cj9qm5Ehx2uJ8zVb2hTFqt8F+GiDeKBFeQCBv06pibamgNimB6/WEtfe5vQrUT
iknb2urvMcKRBGpA01GCeOA89CzIEzhIZnMZ5eSDj+dBeAjrr1WX+sBn1/rbkrxQ
RDORwrpSHz71VROrpCoGhKCyAaIzXiWyeUVorD5mhcfgmexjwCbGp9fAulZSfYcW
bPpivkzZOLGjvXMLuQlMqrW1hMCrkNI7ggZ5Rzb8YsuuS9R7Na/YZqu7gjUaQSHm
tdFIyY7xIFVUkkhRWwAor2wQ+dxVDwj8Ai+TU9w2l0bfjrASFqgtpKHVieNHvJSV
sYawI9SviMf7NewHDuL3
=+sZi
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.