Package: devscripts
Version: 2.19.2
Severity: important
Usertags: uscan

Hi,

While playing around with uscan, I found that using both
'--skip-signature' and '--force-download' nullifies the effect of
'--force-download'.

For example:

---------------------------------------------------------------------
emiliano@zapata:~/git/foo/firmware-tomu$ uscan --force-download --verbose

uscan info: uscan (version 2.19.2) See uscan(1) for help
uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: package="firmware-tomu" version="2.0~rc7-1" (as seen in
debian/changelog)
uscan info: package="firmware-tomu" version="2.0~rc7" (no epoch/revision)
uscan info: Check debian/watch and debian/changelog in
./.git/logs/refs/remotes/origin
uscan info: Check debian/watch and debian/changelog in
./.git/logs/refs/heads
uscan info: Check debian/watch and debian/changelog in
./.git/refs/remotes/origin
uscan info: Check debian/watch and debian/changelog in ./.git/refs/heads
uscan info: ./debian/changelog sets package="firmware-tomu"
version="2.0~rc7"
uscan info: Process watch file at: debian/watch
    package = firmware-tomu
    version = 2.0~rc7
    pkg_dir = .
uscan info: opts:
filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/firmware-tomu-$1\.tar\.gz/,uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/
uscan info: line: https://github.com/im-tomu/tomu-bootloader/tags
.*/v?(\d[\d\.\-rc]+)\.tar\.gz
uscan info: Parsing
filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/firmware-tomu-$1\.tar\.gz/
uscan info: Parsing
uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/
uscan info: line: https://github.com/im-tomu/tomu-bootloader/tags
.*/v?(\d[\d\.\-rc]+)\.tar\.gz
uscan info: Last orig.tar.* tarball version (from debian/changelog): 2.0~rc7
uscan info: Last orig.tar.* tarball version (dversionmangled): 2.0~rc7
uscan info: Requesting URL:
   https://github.com/im-tomu/tomu-bootloader/tags
uscan info: Matching pattern:

(?:(?:https://github.com)?\/im\-tomu\/tomu\-bootloader\/tags)?.*/v?(\d[\d\.\-rc]+)\.tar\.gz
uscan info: Found the following matching hrefs on the web page (newest
first):
   /im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz (2.0~rc7)
index=2.0~rc7-1
   /im-tomu/tomu-bootloader/archive/v2.0-rc6.tar.gz (2.0~rc6)
index=2.0~rc6-1
   /im-tomu/tomu-bootloader/archive/v2.0-rc5.tar.gz (2.0~rc5)
index=2.0~rc5-1
   /im-tomu/tomu-bootloader/archive/v2.0-rc4.tar.gz (2.0~rc4)
index=2.0~rc4-1
   /im-tomu/tomu-bootloader/archive/v2.0-rc3.tar.gz (2.0~rc3)
index=2.0~rc3-1
   /im-tomu/tomu-bootloader/archive/v2.0-rc2.tar.gz (2.0~rc2)
index=2.0~rc2-1
   /im-tomu/tomu-bootloader/archive/v2.0-rc1.tar.gz (2.0~rc1)
index=2.0~rc1-1
uscan info: Looking at $base =
https://github.com/im-tomu/tomu-bootloader/tags with
    $filepattern = .*/v?(\d[\d\.\-rc]+)\.tar\.gz found
    $newfile     = /im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
    $newversion  = 2.0~rc7 which is newer than
    $lastversion = 2.0~rc7
uscan info: Matching target for downloadurlmangle:
https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Upstream URL(+tag) to download is identified as
https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Matching target for filenamemangle:
/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Filename (filenamemangled) for downloaded file:
firmware-tomu-2.0-rc7.tar.gz
uscan info: Newest version of firmware-tomu on remote site is 2.0~rc7,
local version is 2.0~rc7
uscan info:    => Package is up to date for from
      https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info:    => Forcing download as requested
uscan info: Downloading upstream package: firmware-tomu-2.0-rc7.tar.gz
uscan info: Requesting URL:
   https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Successfully downloaded package: firmware-tomu-2.0-rc7.tar.gz
uscan info: Start checking for common possible upstream OpenPGP
signature files
uscan info: End checking for common possible upstream OpenPGP signature
files
uscan info: Missing OpenPGP signature.
uscan info: New orig.tar.* tarball version (oversionmangled): 2.0~rc7
uscan info: Launch mk-origtargz with options:
   --package firmware-tomu --version 2.0~rc7 --compression default
--directory .. --copyright-file debian/copyright
../firmware-tomu-2.0-rc7.tar.gz
Successfully repacked ../firmware-tomu-2.0-rc7.tar.gz as
../firmware-tomu_2.0~rc7.orig.tar.xz, deleting 11 files from it.
uscan info: New orig.tar.* tarball version (after mk-origtargz): 2.0~rc7
uscan info: Scan finished
---------------------------------------------------------------------

The upstream package is downloaded and repacked as intended. Now with
'--skip-signature':

---------------------------------------------------------------------
emiliano@zapata:~/git/foo/firmware-tomu$ uscan --force-download
--skip-signature --verbose

uscan info: uscan (version 2.19.2) See uscan(1) for help
uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: package="firmware-tomu" version="2.0~rc7-1" (as seen in
debian/changelog)
uscan info: package="firmware-tomu" version="2.0~rc7" (no epoch/revision)
uscan info: Check debian/watch and debian/changelog in
./.git/logs/refs/remotes/origin
uscan info: Check debian/watch and debian/changelog in
./.git/logs/refs/heads
uscan info: Check debian/watch and debian/changelog in
./.git/refs/remotes/origin
uscan info: Check debian/watch and debian/changelog in ./.git/refs/heads
uscan info: ./debian/changelog sets package="firmware-tomu"
version="2.0~rc7"
uscan info: Process watch file at: debian/watch
    package = firmware-tomu
    version = 2.0~rc7
    pkg_dir = .
uscan info: opts:
filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/firmware-tomu-$1\.tar\.gz/,uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/
uscan info: line: https://github.com/im-tomu/tomu-bootloader/tags
.*/v?(\d[\d\.\-rc]+)\.tar\.gz
uscan info: Parsing
filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/firmware-tomu-$1\.tar\.gz/
uscan info: Parsing
uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/
uscan info: line: https://github.com/im-tomu/tomu-bootloader/tags
.*/v?(\d[\d\.\-rc]+)\.tar\.gz
uscan info: Last orig.tar.* tarball version (from debian/changelog): 2.0~rc7
uscan info: Last orig.tar.* tarball version (dversionmangled): 2.0~rc7
uscan info: Requesting URL:
   https://github.com/im-tomu/tomu-bootloader/tags
uscan info: Matching pattern:

(?:(?:https://github.com)?\/im\-tomu\/tomu\-bootloader\/tags)?.*/v?(\d[\d\.\-rc]+)\.tar\.gz
uscan info: Found the following matching hrefs on the web page (newest
first):
   /im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz (2.0~rc7)
index=2.0~rc7-1
   /im-tomu/tomu-bootloader/archive/v2.0-rc6.tar.gz (2.0~rc6)
index=2.0~rc6-1
   /im-tomu/tomu-bootloader/archive/v2.0-rc5.tar.gz (2.0~rc5)
index=2.0~rc5-1
   /im-tomu/tomu-bootloader/archive/v2.0-rc4.tar.gz (2.0~rc4)
index=2.0~rc4-1
   /im-tomu/tomu-bootloader/archive/v2.0-rc3.tar.gz (2.0~rc3)
index=2.0~rc3-1
   /im-tomu/tomu-bootloader/archive/v2.0-rc2.tar.gz (2.0~rc2)
index=2.0~rc2-1
   /im-tomu/tomu-bootloader/archive/v2.0-rc1.tar.gz (2.0~rc1)
index=2.0~rc1-1
uscan info: Looking at $base =
https://github.com/im-tomu/tomu-bootloader/tags with
    $filepattern = .*/v?(\d[\d\.\-rc]+)\.tar\.gz found
    $newfile     = /im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
    $newversion  = 2.0~rc7 which is newer than
    $lastversion = 2.0~rc7
uscan info: Matching target for downloadurlmangle:
https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Upstream URL(+tag) to download is identified as
https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Matching target for filenamemangle:
/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Filename (filenamemangled) for downloaded file:
firmware-tomu-2.0-rc7.tar.gz
uscan info: Newest version of firmware-tomu on remote site is 2.0~rc7,
local version is 2.0~rc7
uscan info:    => Package is up to date for from
      https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info:    => Forcing download as requested
uscan info: Scan finished
---------------------------------------------------------------------

The upstream package isn't downloaded.

I've attached my watch file and my copyright file (I'm using
File-Excluded). If you need more context, the package I'm working on can
be found here:

https://salsa.debian.org/debian/firmware-tomu/

I've marked this as important since 'uscan --verbose
--download-current-version --force-download --rename --skip-signature'
is the default command used by the Salsa CI Team's default gbp CI pipeline.

If you think it isn't that high a severity, please feel free to
downgrade it.

Cheers!

-- 
  ⢀⣴⠾⠻⢶⣦⠀
  ⣾⠁⢠⠒⠀⣿⡁  Louis-Philippe Véronneau
  ⢿⡄⠘⠷⠚⠋   [email protected] / veronneau.org
  ⠈⠳⣄
version=4
opts=filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/firmware-tomu-$1\.tar\.gz/,uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/
 \
  https://github.com/im-tomu/tomu-bootloader/tags .*/v?(\d[\d\.\-rc]+)\.tar\.gz
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: tomu-bootloader
Upstream-Contact: Sean Cross <[email protected]>
Source: https://github.com/im-tomu/tomu-bootloader
Comment:
 The upstream source tarball is repacked to drop off the prebuilt tomu firmware
 and the Windows binaries for dfu-util.
Files-Excluded:
 bin/*
 prebuilt/*

Files: *
Copyright: 2016-2018, Tim Ansell <[email protected]>
           2017-2018, Sean Cross <[email protected]>
License: GPL-3

Files: booster/xxhash.c
       booster/xxhash.h
       toboot/xxhash.c
       toboot/xxhash.h
Copyright: 2012-2016, Yann Collet
License: BSD-2-clause

Files: openocd/build-openocd.sh
Copyright: 2017, Aleksa Sarai <[email protected]>
License: GPL-3+

Files: tomu.ld
       booster/tomu.ld
       tests/secure-erase/pass-1/tomu.ld
       tests/secure-erase/pass-2/tomu.ld
Copyright: 2016, Silicon Laboratories, Inc. http://www.silabs.com
License: Apache-2.0

Files: toboot/dfu.c
       toboot/dfu.h
Copyright: 2013, Micah Elizabeth Scott
License: Expat

Files: toboot/usb_dev.c
Copyright: 2013, PJRC.COM, LLC
           2017, Sergei Glushchenko
License: GPL-3+

Files: toboot/usb_desc.c
       toboot/usb_desc.h
       toboot/usb_dev.h
Copyright: 2013, PJRC.COM, LLC
License: BSD-2-clause

Files: toboot/webusb_defs.h
Copyright: 2016, Devan Lai
License: ISC

Files: debian/*
Copyright: 2019, Louis-Philippe Véronneau <[email protected]>
License: GPL-3+

License: Apache-2.0
 Licensed to the Apache Software Foundation (ASF) under one or more
 contributor license agreements.  See the NOTICE file distributed with
 this work for additional information regarding copyright ownership.
 The ASF licenses this file to You under the Apache License, Version 2.0
 (the "License"); you may not use this file except in compliance with
 the License.  You may obtain a copy of the License at
 .
      https://www.apache.org/licenses/LICENSE-2.0
 .
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 .
 On Debian systems, the full text of the Apache Software License version 2 can
 be found in the file `/usr/share/common-licenses/Apache-2.0'.

License: BSD-2-clause
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
 are met:
 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.

License: Expat
 Permission is hereby granted, free of charge, to any person obtaining a
 copy of this software and associated documentation files (the "Software"),
 to deal in the Software without restriction, including without limitation
 the rights to use, copy, modify, merge, publish, distribute, sublicense,
 and/or sell copies of the Software, and to permit persons to whom the
 Software is furnished to do so, subject to the following conditions:
 .
 The above copyright notice and this permission notice shall be included
 in all copies or substantial portions of the Software.
 .
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
 NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
 DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
 OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
 USE OR OTHER DEALINGS IN THE SOFTWARE.

License: GPL-3
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; version 3.
 .
 On Debian systems, the complete text of version 3 of the GNU General
 Public License can be found in '/usr/share/common-licenses/GPL-3'.

License: GPL-3+
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; version 3, or (at your option) any
 later version.
 .
 On Debian systems, the complete text of version 3 of the GNU General
 Public License can be found in '/usr/share/common-licenses/GPL-3'.

License: ISC
 Permission to use, copy, modify, and distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
 copyright notice and this permission notice appear in all copies.
 .
 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to