Package: devscripts Version: 2.25.22~bpo13+1 Severity: wishlist Hi!
Could you document that debian/watch supports not only 'Pgp-Mode:' but that also 'Pgpmode:' is an alias that means the same thing? See below for discussion related to lintian not knowing about both tags, which is due to lack of documentation about this. Uscan already supports 'Pgpmode:' too, it seems, and the field appears to be used in many packages. I think it is too late to try to enforce any right or wrong here, and simpler to just document that both tags works. /Simon Nilesh Patra <[email protected]> writes: > On 07/03/26 1:30 pm, Simon Josefsson wrote: >> Nilesh Patra <[email protected]> writes: >> >>> On 07/03/26 1:03 pm, Simon Josefsson wrote: >>>> Package: lintian >>>> Version: 2.122.0 >>>> >>>> Hi! >>>> >>>> It seems orig-tarball-missing-upstream-signature is enabled at Warning >>>> severity level when debian/upstream/signing-key.asc exists but there is >>>> no *.asc PGP tarball signature, see lintian complaint below. >>>> >>>> However 'ding-libs' is using upstream git as the source, and upstream >>>> uses PGP signed tags, as explained by debian/watch: >>>> >>>> Version: 5 >>>> Source: https://github.com/SSSD/ding-libs.git >>>> Matching-Pattern: refs/tags/@ANY_VERSION@ >>>> Mode: git >>>> Pgpmode: gittag >>>> >>>> For that PGP git tag verification to work, a PGP key is needed, and I >>>> believe uscan and other tools uses debian/upstream/signing-key.asc for >>>> verifying PGP-signed git tags, and has done so for a long time now. >>>> >>>> Thus, I think orig-tarball-missing-upstream-signature should be modified >>>> to not trigger, at least not at warning level, when PGP-signed git tags >>>> are used. >>>> >>>> I did not see PGP-signed git tags discussed in #954743 and #872864 but >>>> could have missed it, so I think this is a somewhat different situation >>> >>> That is already the case, lintian checks for "Pgp-Mode: gittag" and does >>> not emit it for the same. Pgp-Mode is documented in d/watch manpage[1]. >>> >>> Your package uses "Pgpmode: gittag" which is either wrong or not documented >>> in the manpage. Do you know if it's the latter case? If so, I will add this. >> >> D'uh! Thank you for spotting that. This is cut'n'paste code, so I'm >> pretty sure this was coming from some other package. > > Yes. I see quite a few of them > > https://codesearch.debian.net/search?q=path%3Adebian%2Fwatch+Pgpmode%3A&literal=1 > >> Uscan seems to be performing PGP verification here, snippet from >> complete output below: >> >> uscan info: => Package is up to date from: >> => https://github.com/SSSD/ding-libs.git refs/tags/0.7.0 >> uscan info: => Forcing download as requested >> uscan info: Downloading and overwriting existing file: ding-libs-0.7.0.tar.xz >> uscan info: Successfully downloaded package: ding-libs-0.7.0.tar.xz >> gpgv: Signature made Mon Mar 2 11:50:45 2026 CET >> gpgv: using RSA key 930201AAB42DD1947210B7838D7326351A726211 >> gpgv: Good signature from "Alexey Tikhonov <[email protected]>" >> uscan info: New orig.tar.* tarball version (oversionmangled): 0.7.0 >> >> So presumably uscan supports 'Pgpmode:' too. > > Can I ask you to open a bug against devscripts and ask them to either > > a) document this > or > b) fix this if it is not expected? > > Maybe you could just re-assign this bug for the context. > >> I confirmed that changing debian/watch to 'Pgp-Mode: gittag' silenced >> lintian. >> >> I still get the warning with 'Pgp-mode: gittag'. Is the header supposed >> to be case sensitive? > > Yes.
signature.asc
Description: PGP signature
