Package: devscripts Version: 2.19.2 Severity: important Usertags: uscan Hi,
While playing around with uscan, I found that using both
'--skip-signature' and '--force-download' nullifies the effect of
'--force-download'.
For example:
---------------------------------------------------------------------
emiliano@zapata:~/git/foo/firmware-tomu$ uscan --force-download --verbose
uscan info: uscan (version 2.19.2) See uscan(1) for help
uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: package="firmware-tomu" version="2.0~rc7-1" (as seen in
debian/changelog)
uscan info: package="firmware-tomu" version="2.0~rc7" (no epoch/revision)
uscan info: Check debian/watch and debian/changelog in
./.git/logs/refs/remotes/origin
uscan info: Check debian/watch and debian/changelog in
./.git/logs/refs/heads
uscan info: Check debian/watch and debian/changelog in
./.git/refs/remotes/origin
uscan info: Check debian/watch and debian/changelog in ./.git/refs/heads
uscan info: ./debian/changelog sets package="firmware-tomu"
version="2.0~rc7"
uscan info: Process watch file at: debian/watch
package = firmware-tomu
version = 2.0~rc7
pkg_dir = .
uscan info: opts:
filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/firmware-tomu-$1\.tar\.gz/,uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/
uscan info: line: https://github.com/im-tomu/tomu-bootloader/tags
.*/v?(\d[\d\.\-rc]+)\.tar\.gz
uscan info: Parsing
filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/firmware-tomu-$1\.tar\.gz/
uscan info: Parsing
uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/
uscan info: line: https://github.com/im-tomu/tomu-bootloader/tags
.*/v?(\d[\d\.\-rc]+)\.tar\.gz
uscan info: Last orig.tar.* tarball version (from debian/changelog): 2.0~rc7
uscan info: Last orig.tar.* tarball version (dversionmangled): 2.0~rc7
uscan info: Requesting URL:
https://github.com/im-tomu/tomu-bootloader/tags
uscan info: Matching pattern:
(?:(?:https://github.com)?\/im\-tomu\/tomu\-bootloader\/tags)?.*/v?(\d[\d\.\-rc]+)\.tar\.gz
uscan info: Found the following matching hrefs on the web page (newest
first):
/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz (2.0~rc7)
index=2.0~rc7-1
/im-tomu/tomu-bootloader/archive/v2.0-rc6.tar.gz (2.0~rc6)
index=2.0~rc6-1
/im-tomu/tomu-bootloader/archive/v2.0-rc5.tar.gz (2.0~rc5)
index=2.0~rc5-1
/im-tomu/tomu-bootloader/archive/v2.0-rc4.tar.gz (2.0~rc4)
index=2.0~rc4-1
/im-tomu/tomu-bootloader/archive/v2.0-rc3.tar.gz (2.0~rc3)
index=2.0~rc3-1
/im-tomu/tomu-bootloader/archive/v2.0-rc2.tar.gz (2.0~rc2)
index=2.0~rc2-1
/im-tomu/tomu-bootloader/archive/v2.0-rc1.tar.gz (2.0~rc1)
index=2.0~rc1-1
uscan info: Looking at $base =
https://github.com/im-tomu/tomu-bootloader/tags with
$filepattern = .*/v?(\d[\d\.\-rc]+)\.tar\.gz found
$newfile = /im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
$newversion = 2.0~rc7 which is newer than
$lastversion = 2.0~rc7
uscan info: Matching target for downloadurlmangle:
https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Upstream URL(+tag) to download is identified as
https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Matching target for filenamemangle:
/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Filename (filenamemangled) for downloaded file:
firmware-tomu-2.0-rc7.tar.gz
uscan info: Newest version of firmware-tomu on remote site is 2.0~rc7,
local version is 2.0~rc7
uscan info: => Package is up to date for from
https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: => Forcing download as requested
uscan info: Downloading upstream package: firmware-tomu-2.0-rc7.tar.gz
uscan info: Requesting URL:
https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Successfully downloaded package: firmware-tomu-2.0-rc7.tar.gz
uscan info: Start checking for common possible upstream OpenPGP
signature files
uscan info: End checking for common possible upstream OpenPGP signature
files
uscan info: Missing OpenPGP signature.
uscan info: New orig.tar.* tarball version (oversionmangled): 2.0~rc7
uscan info: Launch mk-origtargz with options:
--package firmware-tomu --version 2.0~rc7 --compression default
--directory .. --copyright-file debian/copyright
../firmware-tomu-2.0-rc7.tar.gz
Successfully repacked ../firmware-tomu-2.0-rc7.tar.gz as
../firmware-tomu_2.0~rc7.orig.tar.xz, deleting 11 files from it.
uscan info: New orig.tar.* tarball version (after mk-origtargz): 2.0~rc7
uscan info: Scan finished
---------------------------------------------------------------------
The upstream package is downloaded and repacked as intended. Now with
'--skip-signature':
---------------------------------------------------------------------
emiliano@zapata:~/git/foo/firmware-tomu$ uscan --force-download
--skip-signature --verbose
uscan info: uscan (version 2.19.2) See uscan(1) for help
uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: package="firmware-tomu" version="2.0~rc7-1" (as seen in
debian/changelog)
uscan info: package="firmware-tomu" version="2.0~rc7" (no epoch/revision)
uscan info: Check debian/watch and debian/changelog in
./.git/logs/refs/remotes/origin
uscan info: Check debian/watch and debian/changelog in
./.git/logs/refs/heads
uscan info: Check debian/watch and debian/changelog in
./.git/refs/remotes/origin
uscan info: Check debian/watch and debian/changelog in ./.git/refs/heads
uscan info: ./debian/changelog sets package="firmware-tomu"
version="2.0~rc7"
uscan info: Process watch file at: debian/watch
package = firmware-tomu
version = 2.0~rc7
pkg_dir = .
uscan info: opts:
filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/firmware-tomu-$1\.tar\.gz/,uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/
uscan info: line: https://github.com/im-tomu/tomu-bootloader/tags
.*/v?(\d[\d\.\-rc]+)\.tar\.gz
uscan info: Parsing
filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/firmware-tomu-$1\.tar\.gz/
uscan info: Parsing
uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/
uscan info: line: https://github.com/im-tomu/tomu-bootloader/tags
.*/v?(\d[\d\.\-rc]+)\.tar\.gz
uscan info: Last orig.tar.* tarball version (from debian/changelog): 2.0~rc7
uscan info: Last orig.tar.* tarball version (dversionmangled): 2.0~rc7
uscan info: Requesting URL:
https://github.com/im-tomu/tomu-bootloader/tags
uscan info: Matching pattern:
(?:(?:https://github.com)?\/im\-tomu\/tomu\-bootloader\/tags)?.*/v?(\d[\d\.\-rc]+)\.tar\.gz
uscan info: Found the following matching hrefs on the web page (newest
first):
/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz (2.0~rc7)
index=2.0~rc7-1
/im-tomu/tomu-bootloader/archive/v2.0-rc6.tar.gz (2.0~rc6)
index=2.0~rc6-1
/im-tomu/tomu-bootloader/archive/v2.0-rc5.tar.gz (2.0~rc5)
index=2.0~rc5-1
/im-tomu/tomu-bootloader/archive/v2.0-rc4.tar.gz (2.0~rc4)
index=2.0~rc4-1
/im-tomu/tomu-bootloader/archive/v2.0-rc3.tar.gz (2.0~rc3)
index=2.0~rc3-1
/im-tomu/tomu-bootloader/archive/v2.0-rc2.tar.gz (2.0~rc2)
index=2.0~rc2-1
/im-tomu/tomu-bootloader/archive/v2.0-rc1.tar.gz (2.0~rc1)
index=2.0~rc1-1
uscan info: Looking at $base =
https://github.com/im-tomu/tomu-bootloader/tags with
$filepattern = .*/v?(\d[\d\.\-rc]+)\.tar\.gz found
$newfile = /im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
$newversion = 2.0~rc7 which is newer than
$lastversion = 2.0~rc7
uscan info: Matching target for downloadurlmangle:
https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Upstream URL(+tag) to download is identified as
https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Matching target for filenamemangle:
/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: Filename (filenamemangled) for downloaded file:
firmware-tomu-2.0-rc7.tar.gz
uscan info: Newest version of firmware-tomu on remote site is 2.0~rc7,
local version is 2.0~rc7
uscan info: => Package is up to date for from
https://github.com/im-tomu/tomu-bootloader/archive/v2.0-rc7.tar.gz
uscan info: => Forcing download as requested
uscan info: Scan finished
---------------------------------------------------------------------
The upstream package isn't downloaded.
I've attached my watch file and my copyright file (I'm using
File-Excluded). If you need more context, the package I'm working on can
be found here:
https://salsa.debian.org/debian/firmware-tomu/
I've marked this as important since 'uscan --verbose
--download-current-version --force-download --rename --skip-signature'
is the default command used by the Salsa CI Team's default gbp CI pipeline.
If you think it isn't that high a severity, please feel free to
downgrade it.
Cheers!
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
⢿⡄⠘⠷⠚⠋ [email protected] / veronneau.org
⠈⠳⣄
version=4 opts=filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/firmware-tomu-$1\.tar\.gz/,uversionmangle=s/(\d)[_\.\-\+]?((RC|rc|pre|dev|beta|alpha)\d*)$/$1~$2/ \ https://github.com/im-tomu/tomu-bootloader/tags .*/v?(\d[\d\.\-rc]+)\.tar\.gz
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: tomu-bootloader Upstream-Contact: Sean Cross <[email protected]> Source: https://github.com/im-tomu/tomu-bootloader Comment: The upstream source tarball is repacked to drop off the prebuilt tomu firmware and the Windows binaries for dfu-util. Files-Excluded: bin/* prebuilt/* Files: * Copyright: 2016-2018, Tim Ansell <[email protected]> 2017-2018, Sean Cross <[email protected]> License: GPL-3 Files: booster/xxhash.c booster/xxhash.h toboot/xxhash.c toboot/xxhash.h Copyright: 2012-2016, Yann Collet License: BSD-2-clause Files: openocd/build-openocd.sh Copyright: 2017, Aleksa Sarai <[email protected]> License: GPL-3+ Files: tomu.ld booster/tomu.ld tests/secure-erase/pass-1/tomu.ld tests/secure-erase/pass-2/tomu.ld Copyright: 2016, Silicon Laboratories, Inc. http://www.silabs.com License: Apache-2.0 Files: toboot/dfu.c toboot/dfu.h Copyright: 2013, Micah Elizabeth Scott License: Expat Files: toboot/usb_dev.c Copyright: 2013, PJRC.COM, LLC 2017, Sergei Glushchenko License: GPL-3+ Files: toboot/usb_desc.c toboot/usb_desc.h toboot/usb_dev.h Copyright: 2013, PJRC.COM, LLC License: BSD-2-clause Files: toboot/webusb_defs.h Copyright: 2016, Devan Lai License: ISC Files: debian/* Copyright: 2019, Louis-Philippe Véronneau <[email protected]> License: GPL-3+ License: Apache-2.0 Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at . https://www.apache.org/licenses/LICENSE-2.0 . Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. . On Debian systems, the full text of the Apache Software License version 2 can be found in the file `/usr/share/common-licenses/Apache-2.0'. License: BSD-2-clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. License: Expat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. License: GPL-3 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 3. . On Debian systems, the complete text of version 3 of the GNU General Public License can be found in '/usr/share/common-licenses/GPL-3'. License: GPL-3+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 3, or (at your option) any later version. . On Debian systems, the complete text of version 3 of the GNU General Public License can be found in '/usr/share/common-licenses/GPL-3'. License: ISC Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. . THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
signature.asc
Description: OpenPGP digital signature

