Hi, On Sun, Aug 27, 2017 at 08:51:49PM -0300, Henrique de Moraes Holschuh wrote: > On Wed, 23 Aug 2017, Russ Allbery wrote: > > Note that this Policy language is carefully written to make it perfectly > > fine for uscan to support all the things it currently supports, since it > > only talks about what Policy recommends the maintainer does. So don't > > feel any obligation to change what uscan is doing on Policy's account > > here. > > Actually, the text in 4.1.0.0 might be doing too much. It reads: > > "If the upstream maintainer of the software provides OpenPGP signatures > for new releases, including the information required for "uscan" to > verify signatures for new upstream releases is also recommended. To do > this, use the "pgpsigurlmangle" option in "debian/watch" to specify > the location of the upstream signature, and include the key or keys > used to sign upstream releases in the Debian source package as > "debian/upstream/signing-key.asc". > > IMO, it should either not be mandating uscan internals, or it should be
In principle, you comment is a very reasonable one. > very clear about the exact subset of stuff we can use in debian/watch > (version, etc). For example, I'd rather use opt="..., pgpmode=auto,..." > instead of explicitly hardcoding a "pgpsigurlmangle". The new pgpmode=auto and pgpmode=previous have bugs and fail to function smoothly --- #873289 #852537 Excuse me for these bugs. The fixes have been committed to git. I am hoping the next upload of devscripts (and its backport) will fix them. So "pgpsigurlmangle" is the only good way at this moment. > IMHO, just drop everything from "To do this..." to the end of that > paragraph entirely. HOW one gets "uscan" to fetch and check upstream > signatures is a job for the uscan(1) manpage. Alternatively, just > mention "debian/watch", and to refer to the uscan documentation in > package "devscripts". Once pgpmode=auto becomes noise free, this should be the preferred choice. It will be nice to address #833012, too, using s/\?/.asc?/ etc. to make it really default one. So for now, the policy text is better for me. > OTOH, if we really need to mandate a specific level of debian/watch > support, the current text in policy needs work: it doesn't even tell me > whether I can use version=3 (supported in oldstable), or version=4 > (supported in oldstable-backports and stable), for example... The uscan version=3/version=4 difference is not much about enhanced mangling rules. It's about how uupdate is invoked and how uupdate creates the updated source tree. version=4 uses dpkg-source as back-end and capable of generating multi-upstream tarball. If you use new uscan, even with a watch file marked as version=3, it has access to the enhanced mangling rules. Osamu
