Package: git-buildpackage Version: 0.9.30 Severity: important X-Debbugs-Cc: deb...@rocketjump.eu
Hi, I was trying to import a newer upstream version of rp-pppoe, here's the shell session transcript: ---8<------8<------8<------8<------8<------8<------8<------8<------8<--- $ ls -l ../rp-pppoe-4.0.tar.gz* -rw-r--r-- 1 randall randall 139539 Mai 21 14:58 ../rp-pppoe-4.0.tar.gz -rw-r--r-- 1 randall randall 583 Mai 20 10:32 ../rp-pppoe-4.0.tar.gz.sig $ gbp import-orig --upstream-signatures=on --upstream-tag=deleteme --verbose ../rp-pppoe-4.0.tar.gz gbp:debug: ['git', 'rev-parse', '--show-cdup'] gbp:debug: ['git', 'rev-parse', '--is-bare-repository'] gbp:debug: ['git', 'rev-parse', '--git-dir'] gbp:debug: ['git', 'for-each-ref', '--format=%(refname:short)', 'refs/heads/'] gbp:debug: ['git', 'show-ref', '--verify', 'refs/heads/upstream/latest'] gbp:debug: ['git', 'status', '--porcelain'] What is the upstream version? [4.0] gbp:debug: ['git', 'tag', '-l', 'deleteme'] gbp:debug: tar ['-C', '../tmpcjic_cw6', '-a', '-xf', '../rp-pppoe-4.0.tar.gz'] [] gbp:debug: Unpacked '../rp-pppoe-4.0.tar.gz' to '../tmpcjic_cw6/rp-pppoe-4.0' gbp:info: <DebianUpstreamSource path='../rp-pppoe-4.0.tar.gz' signaturefile=None> gbp:info: Importing '../rp-pppoe-4.0.tar.gz' to branch 'upstream/latest'... gbp:info: Source package is rp-pppoe gbp:info: Upstream version is 4.0 gbp:debug: ['git', 'show-ref', '--verify', 'refs/heads/upstream/latest'] gbp:debug: ['git', 'rev-parse', '--quiet', '--verify', 'upstream/latest'] gbp:debug: ['git', 'add', '-f', '.'] gbp:debug: ['git', 'write-tree'] gbp:debug: ['git', 'rev-parse', '--quiet', '--verify', 'upstream/latest'] gbp:debug: ['git', 'commit-tree', '3017f5070cb7a09b0d79d49df8860a42e460f66e', '-p', '31d68177a90b0e56367dbd8901711fdc551ec2ad'] gbp:debug: ['git', 'update-ref', '-m', 'gbp: New upstream version 4.0', 'refs/heads/upstream/latest', 'b7b1dd7a852a6fe0c544d38e2baf8cff7b65cd4f', '31d68177a90b0e56367dbd8901711fdc551ec2ad'] gbp:debug: ['git', 'show-ref', '--verify', 'refs/heads/pristine-tar'] gbp:debug: ['git', 'rev-parse', '--quiet', '--verify', 'pristine-tar'] gbp:error: ../rp-pppoe-4.0.tar.gz does not have a signature file gbp:error: Error detected, Will roll back changes. gbp:info: Rolling back branch upstream/latest by resetting it to 31d68177a90b0e56367dbd8901711fdc551ec2ad gbp:debug: ['git', 'update-ref', '-m', 'gbp import-orig: failure rollback of upstream/latest', 'refs/heads/upstream/latest', '31d68177a90b0e56367dbd8901711fdc551ec2ad'] gbp:info: Rolling back branch pristine-tar by resetting it to 3b63b1f0270f976f8b6f6d5eb27d4d7054bf50e1 gbp:debug: ['git', 'update-ref', '-m', 'gbp import-orig: failure rollback of pristine-tar', 'refs/heads/pristine-tar', '3b63b1f0270f976f8b6f6d5eb27d4d7054bf50e1'] gbp:error: Rolled back changes after import error. gbp:debug: rm ['-rf', '../tmpcjic_cw6'] [] $ gpg --verify ../rp-pppoe-4.0.tar.gz.sig ../rp-pppoe-4.0.tar.gz gpg: Signature made Mi 26 Apr 2023 21:02:53 CEST gpg: using RSA key 738E4D954052902C147D07B2685A5A5E511D30E2 gpg: issuer "dia...@skoll.ca" gpg: Good signature from "Dianne Skoll <dia...@skollsoft.com>" [unknown] gpg: aka "Dianne Skoll <dia...@skoll.ca>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 738E 4D95 4052 902C 147D 07B2 685A 5A5E 511D 30E2 ---8<------8<------8<------8<------8<------8<------8<------8<------8<--- As you can see, the signature is valid. After digging around I found out that renaming the .sig file to .asc actually makes the above import-orig command run through. It would be great if `gbp import-orig` would check a set of extensions similar to uscan (?:asc|pgp|gpg|sig|sign) and also document those in the man page. Set to important as I believe importing signed tarballs is a crucial step in Debian packaging and maintainers should not be tempted to import it unsigned to work around bugs. Greets, Lee -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990, 'proposed-updates'), (990, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-21-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages git-buildpackage depends on: ii devscripts 2.23.4+deb12u1 ii git 1:2.39.2-1.1 ii man-db 2.11.2-2 ii python3 3.11.2-1+b1 ii python3-dateutil 2.8.2-2 ii python3-pkg-resources 66.1.1-1 ii python3-yaml 6.0-3+b2 ii sensible-utils 0.0.17+nmu1 Versions of packages git-buildpackage recommends: ii pristine-tar 1.50 ii python3-requests 2.28.1+dfsg-1 ii sbuild 0.85.0 Versions of packages git-buildpackage suggests: ii python3-notify2 0.3-5 ii sudo 1.9.13p3-1+deb12u1 ii unzip 6.0-28 -- no debconf information
