Bug#759401: ftp.debian.org: dak should accept detached OpenPGP signatures from upstream as part of source

Daniel Kahn Gillmor Tue, 26 Aug 2014 17:28:04 -0700

Package: ftp.debian.org
Severity: wishlist

Parts of the debian archive now know about upstream's signing key, for
those upstreams who sign their releases.


But we don't currently include upstream's detached signatures in the
archive.

Where possible, it would be good to be able to include the upstream
signature alongside the upstream tarball.

For example, it would be nice to be able to do an "apt-get source
foo" and be able to verify both the debian maintainer's signature and
the upstream signature automatically, if present.

There is probably a lot of work to do to get all the way there, but a
first step is to get dak to not reject the file in an upload.

I just tried adding the upstream signature to a .dsc for libgpg-error
1.13-4 (see attached files), and got a rejection message from dak:

     libgpg-error_1.13-4.dsc: libgpg-error_1.13.orig.tar.bz2.asc in Files field 
not recognised as source.

paultag said he'd be up for working on dak to fix this.

        --dkg

libgpg-error_1.13-4.debian.tar.xz
Description: application/xz

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 3.0 (quilt)
Source: libgpg-error
Binary: libgpg-error-dev, libgpg-error0, libgpg-error0-udeb
Architecture: any
Version: 1.13-4
Maintainer: Debian GnuPG Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org>
Uploaders: Matthias Urlichs <sm...@debian.org>, Jose Carlos Garcia Sogo 
<js...@debian.org>, Daniel Kahn Gillmor <d...@fifthhorseman.net>
Homepage: http://www.gnupg.org/related_software/libgpg-error/
Standards-Version: 3.9.5
Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-gnupg/libgpg-error/trunk/
Vcs-Svn: svn://anonscm.debian.org/pkg-gnupg/libgpg-error/trunk/
Build-Depends: dh-autoreconf, debhelper (>> 8.1.3~)
Package-List:
 libgpg-error-dev deb libdevel optional arch=any
 libgpg-error0 deb libs standard arch=any
 libgpg-error0-udeb udeb debian-installer optional arch=any
Checksums-Sha1:
 50fbff11446a7b0decbf65a6e6b0eda17b5139fb 489948 libgpg-error_1.13.orig.tar.bz2
 7abc7ca14afc19f31a2043fde21120fef5e09572 11756 
libgpg-error_1.13-4.debian.tar.xz
 ae62129a45cc130a4807854a2c43398c428e2392 473 libgpg-error_1.13.orig.tar.bz2.asc
Checksums-Sha256:
 f8aba9038d8a46cefe6a6c4a7e4527144c029eb4e3ca1ed27011b962102c9b0a 489948 
libgpg-error_1.13.orig.tar.bz2
 a7fba75f5106da4bc37f2e4c08c45893947dee9cb8c3da2ffaa475a186d3170d 11756 
libgpg-error_1.13-4.debian.tar.xz
 b9e02f9559648a8a8670a22e5f3565b56641362309de43d4db0bbcede0725204 473 
libgpg-error_1.13.orig.tar.bz2.asc
Files:
 fe0cfa7e15262ef8fdeee366109e9ff6 489948 libgpg-error_1.13.orig.tar.bz2
 48a8dea8cb09dead2ae6137b4b3d31ff 11756 libgpg-error_1.13-4.debian.tar.xz
 207683a307eaf673570b1970b33956a7 473 libgpg-error_1.13.orig.tar.bz2.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJT/RJ8XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB
NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcZZQP/3WkJe2GEjplojxv2plwJwtR
N6wZBDtlpru6+Dga4nL/dOjgI10sXBtw+JXMmeFYvV9qj8s30fHk3cnuxHd3bQtY
meUReiod6AnZTG6BgK8dYr9n8gr12g7cj0EgILK6GpboyAdvRShFMcVI8aq+DiR7
yYVxw7jJiy2sFLZ9AeJmfhMyWgMgE8kifIkH3KMwdaNr0+S0bT2tk+1EhgKgyBeW
12y+3PGNuuHHhQlaUXqoZuauQtCnF0RaHQrUkpb1qY7EaBwGFVOkAbblKl9WkN7w
M/S0LpbZn2MmBP3N2UGJKIC9mZ1NempxE36NpMXz9Q9CKQ6Hw9fyuYOUalCvDhou
ak61QUffBPe0hS24tZ3pv+5ZDAtx4+bkv9woWu4VMfBvmh478Y/RYc7FdM2rD7/i
Z59nkND1G6OtbU7zQVwcTsoWph6hiTMQDngePez1V3cd2GvcdPezOffbLuuqGWn4
RDAg1FzeVHznKkyIzmP7gQroMY9g1SBuaxqrYk+f7qBFQ2e0q6KWJFRUSX2tR1PH
KeN4x+dA9wVN4G2tmqSpEHnyD971/A/vCG1lD/csXmrR0x+I2EHBs2uTknjanlE1
4GApdbEPOfsvD3/m7EqHo6fVpglUJUWm452kt0iz5F7FwIfUBzqBbpzsxp53UYqL
Vh4S41NYisyKHPN4WWQS
=+KRy
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 26 Aug 2014 15:43:27 -0700
Source: libgpg-error
Binary: libgpg-error-dev libgpg-error0 libgpg-error0-udeb
Architecture: source amd64
Version: 1.13-4
Distribution: unstable
Urgency: medium
Maintainer: Debian GnuPG Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org>
Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Description:
 libgpg-error-dev - library for common error values and messages in GnuPG 
components
 libgpg-error0 - library for common error values and messages in GnuPG 
components
 libgpg-error0-udeb - library for common error values and messages in GnuPG 
components (udeb)
Changes:
 libgpg-error (1.13-4) unstable; urgency=medium
 .
   * no changes to source
   * try to upload the upstream signature to the archive.
Checksums-Sha1:
 32fc056ff6058f59e4cd36506656af2e17f06fdc 2611 libgpg-error_1.13-4.dsc
 7abc7ca14afc19f31a2043fde21120fef5e09572 11756 
libgpg-error_1.13-4.debian.tar.xz
 65ed0c904adef53dcfaadc6e0bf20a73176b53a0 31192 
libgpg-error-dev_1.13-4_amd64.deb
 088b95c571759eec59cb0731c0a1408e1e61f02d 58868 libgpg-error0_1.13-4_amd64.deb
 259d6f823ec216ef9bff543ed4cb1324cba13fd0 6696 
libgpg-error0-udeb_1.13-4_amd64.udeb
 ae62129a45cc130a4807854a2c43398c428e2392 473 libgpg-error_1.13.orig.tar.bz2.asc
Checksums-Sha256:
 bb6f6638895b6fae738eff670ad1f63c479b001b01d203a7ce6a19d2c7526350 2611 
libgpg-error_1.13-4.dsc
 a7fba75f5106da4bc37f2e4c08c45893947dee9cb8c3da2ffaa475a186d3170d 11756 
libgpg-error_1.13-4.debian.tar.xz
 90b8d74fc4860bc56e273970710b79adf25f2372cf00a66c4fe13fad7fc56c8f 31192 
libgpg-error-dev_1.13-4_amd64.deb
 746d184a42abdf6a4c279743c0b93b3a3b44adf242724b8d8a1fc9fabc2a8c82 58868 
libgpg-error0_1.13-4_amd64.deb
 5eee828c387b5d1ad31ad83e0a22a5f4f49e51c4dd2e17c80f91d0d4b73a00c9 6696 
libgpg-error0-udeb_1.13-4_amd64.udeb
 b9e02f9559648a8a8670a22e5f3565b56641362309de43d4db0bbcede0725204 473 
libgpg-error_1.13.orig.tar.bz2.asc
Files:
 163f198a083e1698f75433dfb4ed874d 31192 libdevel optional 
libgpg-error-dev_1.13-4_amd64.deb
 8a84fb3071b8805bff8c34044454546b 58868 libs standard 
libgpg-error0_1.13-4_amd64.deb
 26d865896c56528ac33562b88956b2ec 6696 debian-installer optional 
libgpg-error0-udeb_1.13-4_amd64.udeb
 04063e525057b0213f0b7a7666ffc3d6 2611 libs standard libgpg-error_1.13-4.dsc
 48a8dea8cb09dead2ae6137b4b3d31ff 11756 libs standard 
libgpg-error_1.13-4.debian.tar.xz
 207683a307eaf673570b1970b33956a7 473 libs standard 
libgpg-error_1.13.orig.tar.bz2.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJT/RJ9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQjk2OTEyODdBN0FEREUzNzU3RDkxMUVB
NTI0MDFCMTFCRkRGQTVDAAoJEKUkAbEb/fpcidQQAMh5sonyvgLUcSrzKK25SgR/
0ua8q7toXQNZ55XFuQCpyMYP6d1Ym/zXO1SwIjnAMmhnTWj9+ZXV+lAAgZVx4QPZ
jbfv7umyKnh31c/IdGoWmdt7A0Ymnb7mO/ErCt19BYquClDYCJhX9YZzmXTbt7aN
0v6tV6CoFmz37RwM4bY/3tpIJUZcs9XFR/z4y9SkiauhGHSnSxu84sVAA2GhzwVj
tCOSVncLnWOvDzParPKaaFqPWEAO+NlA6gT9ju4SxaQwZWmmEc1Q06EIQFikUREL
XERACPXDGgeDIsxMmt8uQfDp/0EVcBi+EkfQD+fUXAScHFM9bkppFvGQENTYCR66
fdp5/mrTsJas0ZxmIZVGr9iQHGAQDGzHs87oDA3HPhcOuHetWx1ztI71iznG0a5T
josTrdnGGy/Si+eaw1Ju8Zu146IKSkKU0lbXA8ff7o3ym+nHxHMYUTtbNQcuOnVA
chEFeIsB6cmDgV3HrdNOD+hcWFPGZmlbJ0rgofKOdJzxYB7V6lCLOewwWSyECXZD
iIUbgmvSW3sJ5/QYEVw/ZoDPXxo5EKQesljRcEG5V5TDo801fbovFezHLFmhMNJH
g9lt1GejYKvZmUB+G47tVmUYaVAgBVb7kC3Gd8nBESU4m9sXga6nvCtx6hs0cUPA
BFxnuTaSdpz06SXg6ArX
=xEQB
-----END PGP SIGNATURE-----

Bug#759401: ftp.debian.org: dak should accept detached OpenPGP signatures from upstream as part of source

Reply via email to