Control: tag -1 pending

Daniel Shahaf wrote on Thu, Jun 28, 2018 at 09:36:07 +0000:
> Control: tags -1 patch
> 
> Axel Beckert wrote on Thu, 28 Jun 2018 11:24 +0200:
> > Daniel Shahaf wrote:
> > > If that's the case, then removing the override_dh_installchangelogs
> > > target would be the correct fix.
> > 
> > Yes.
> > 
> 
> Okay.  In this case the attached patch should fix it.
> 
> Getting a bit ahead of myself, we don't seem to have anywhere to push
> that patch now, since the package's repository was on alioth and hasn't
> been migrated to salsa.  I'll have to look into migrating that.  (Also would
> need to test the patch and tag an 0.6.0-2 that has it.)

Okay.  I've verified the patch and pushed it in
7ce9697ed43d20e9a10fce052516b4b324654c6c.  (Does salsa have a facility for
automatically adding the 'pending' tag, like git-tag-pending on alioth?)

There are a few lintian warnings with that, but I think they are less important
than fixing the FTBFS:

> P: zsh-syntax-highlighting source: package-uses-old-debhelper-compat-version 
> 10

I've looked through the upgrade checklist in debhelper(7) on buster.  It's
probably safe to just bump to 11 but I would like to first upload the FTBFS fix
since, if there is fallout here, I wouldn't have time to deal with it.

> I: zsh-syntax-highlighting source: out-of-date-standards-version 4.1.1 
> (released 2017-09-27) (current is 4.1.4)

v4.1.2 adds a requirement in ยง4.10 that Perl scripts must use "#!/usr/bin/perl"
as the first line.  I assume that requirement doesn't affect tests/tap, right?

Assuming that's the case, it's safe to just bump to 4.1.4 with no changes.

> I: zsh-syntax-highlighting source: testsuite-autopkgtest-missing

New feature, not a bug, doesn't block fixing the FTBFS.

> X: zsh-syntax-highlighting source: upstream-metadata-file-is-missing

New feature, not a bug, doesn't block fixing the FTBFS.

> P: zsh-syntax-highlighting source: debian-watch-does-not-check-gpg-signature
> N:
> N:   This watch file does not include a means to verify the upstream
> N:   tarball using cryptographic signature.

Upstream doesn't provide signed tarballs, only signed git tags.  We can either
ignore this warning or ask upstream to start producing signed tarballs as well.
At any rate, doesn't block fixing the FTBFS, especially since this isn't a new
upstream release.

> W: zsh-syntax-highlighting source: debian-watch-could-verify-download 
> debian/upstream/signing-key.asc
> N:
> N:   One or more upstream signing keys are present in the Debian package
> N:   but are not being used.
> N:   
> N:   Please enable the cryptographic verification of downloads with the
> N:   "pgpsigurlmangle" option in your watch file or remove the key.
> N:   

False positive.  Upstream provides only signed tags, no signed tarballs, so
there is no value pgpsigurlmangle can be set to, but at the same time, having
signing-key.asc in the package adds value, since it allows maintainers to
manually verify upstream releases (using 'git tag --verify').

> N:   Refer to the uscan(1) manual page for details.
> N:   
> N:   Severity: normal, Certainty: certain
> N:   
> N:   Check: watch-file, Type: source

Assuming we're in agreement about all that, I'll extend my PGP key validity
(just expired earlier today) and tag 7f8062b9b0d656292080d441f417e84adc253d78
as debian/0.6.0-2 and upload it.

And I suppose I should check whether there's a bug open against lintian asking
to demote the severity of debian-watch-could-verify-download.

Cheers,

Daniel

Reply via email to