Control: reopen -1
Control: retitle -1 UDD doesn't report sponsorship for tag2upload uploads
Control: reassign -1 qa.debian.org
Control: user [email protected]
Control: usertag -1 udd
Hi. We (the tag2upload team) received the following report:
Sven Geuer writes ("Bug#1116530: git-debpush: fact of a sponsored upload/push
gets lost"):
> doing a sponsored upload/push via "git debpush" works, while the fact
> it was sponsored is not mentioned by tracker.debian.org [1], no "signed
> by:" annotation, and DDPO [2], the package in question is not listed
> under "Sponsored/other uploads".
...
> [1] https://tracker.debian.org/pkg/scalpel
> [2] https://qa.debian.org/developer.php?login=sge%40debian.org
I believe both of these services are getting their data from UDD.
I looked in UDD and:
udd=> select * from upload_history where source='scalpel' and
version='1.60+git20240110.6960eb2-2';
source | version | date |
changed_by | changed_by_name | changed_by_email |
maintainer | maintainer_name |
maintainer_email | nmu | signed_by | signed_by_name |
signed_by_email | key_id | distribution | file |
fingerprint
---------+----------------------------+------------------------+----------------------------------------+------------------+---------------------+--------------------------------------------------------------+-----------------------+--------------------------------------+-----+-----------+----------------+-----------------+--------+--------------+------------------------------+-------------
scalpel | 1.60+git20240110.6960eb2-2 | 2025-09-27 19:57:51+00 | Matheus
Polkorny <[email protected]> | Matheus Polkorny | [email protected] |
Debian Security Tools <[email protected]> | Debian Security
Tools | [email protected] | f | N/A | N/A
| | N/A | unstable | debian-devel-changes.current | N/A
(1 row)
udd=>
I don't know precisely how UDD gets its data, but I think this may be
happening because UDD is mishandling `Git-Tag-*` fields in the
.changes file?
Compare these uploads:
1. Traditional sponsored upload
https://tracker.debian.org/news/1671040/accepted-secnet-068-source-into-unstable/
Maintainer: Ian Jackson <[email protected]>
Changed-By: Ian Jackson <[email protected]>
The PGP signature is from the sponsor, Sean Whitton. [1]
UDD has Sean in the `signed_by` column, which is correct.
2. tag2upload non-sponsored upload
https://tracker.debian.org/news/1659525/accepted-dgit-1313-source-into-unstable/
Maintainer: Debian tag2upload Delegates <[email protected]>
Changed-By: Ian Jackson <[email protected]>
Git-Tag-Info: tag=937352782edf8d25b5c6d7f3de1180e8566b7c40
fp=559ae46c2d6b6d3265e7cba1e3e3392348b50d39
Git-Tag-Tagger: Ian Jackson <[email protected]>
The PGP signature on the .changes is from the tag2upload service.
UDD has no `signed_by`, which I think is correct.
3. tag2upload sponsored upload (the case above)
https://tracker.debian.org/news/1671352/accepted-scalpel-160git202401106960eb2-2-source-into-unstable/
Maintainer: Debian Security Tools <[email protected]>
Changed-By: Matheus Polkorny <[email protected]>
Git-Tag-Info: tag=0f74dabff93a3a006a61c485ad8af3ecce86f4b0
fp=3df5e8aa43fc9fdfd086f195adf50edaf8add585
Git-Tag-Tagger: Sven Geuer <[email protected]>
The PGP signature on the .changes is from the tag2upload service.
I think UDD ought to have `signed_*` fields mentioning Sven Geuer,
but in fact it has 'N/A'.
The spec for the .changes fields can be found here:
https://salsa.debian.org/dgit-team/dgit/-/blob/609c3e90a1b093c513d250ee6c1c995719b02a41/TAG2UPLOAD-DESIGN.txt#L193
I hope this is enough information to fix it, but we're happy to answer
questions of course. Thanks for your attention.
Ian.
[1] I am having to replace my PGP key, so Sean kindly sponsored me.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
