genmkfile lintian debian-watch-may-check-gpg-signature build issue

phabricator-migrator · February 19, 2024, 5:50pm

Information

ID: 277
PHID: PHID-TASK-6yn7aayfhw475gpevty4
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal

Description

This is currently breaking builds of Whonix on Debian jessie, because lintian is reporting this issue, genmkfile detects it and breaks the build.

P: anon-apt-sources-list source: debian-watch-may-check-gpg-signature
N: 
N:    This watch file does not include a means to verify the upstream tarball
N:    using cryptographic signature.
N:    
N:    If upstream distributions provide such signatures, please use the
N:    pgpsigurlmangle options in this watch file's opts= to generate the URL
N:    of an upstream GPG signature. This signature is automatically downloaded
N:    and verified against a keyring stored in
N:    debian/upstream-signing-key.asc.
N:    
N:    Of course, not all upstreams provide such signatures, but you could
N:    request them as a way of verifying that no third party has modified the
N:    code against their wishes after the release. Projects such as
N:    phpmyadmin, unrealircd, and proftpd have suffered from this kind of
N:    attack.
N:    
N:    Refer to the uscan(1) manual page for details.
N:    
N:    Severity: pedantic, Certainty: certain
N:    
N:    Check: watch-file, Type: source
N:

https://lintian.debian.org/tags/debian-watch-may-check-gpg-signature.html

Previously the watch file has just been added to to fix the [--pedantic?] lintian warning, that there is no watch file at all. So we can say, the package is --pedantic lintian clean, i.e. has zero lintian warnings to shorten discussions about that and to make packaging “complete”.

We don’t really need the watch files for Whonix currently since we’re upstream and packages in one person and not using such a notification mechanism.

I am wondering about which fix would be appropriate. Possibles routes:

each and every package getting a lintian overwrite to make lintian ignore this issue
trying to make the watch file support gpg as per debian/watch - Debian Wiki - it would require adding Whonix’s signing key to each and every package
anything else?

Workarounds:

Making lintian fail open.

export make_use_lintian=open

Or not using lintian.

export make_use_lintian=false

Comments

nrgaway

2015-04-26 23:56:35 UTC

I had to force disable lintian to compile jessie,
 sed -i "s/make_use_lintian=\"true\"/make_use_lintian=\"false\"/g" "${WHONIX_DIR}/build-steps.d/1200_create-debian-packages"
I initially tried just to uninstall lintian cause your bash makefile script had the option to do so, but when I did that there was some error that it was expecting lintian

I have not got to the point where build is successful, as I am getting stuck on 1700_install-packages (broken packages)

Patrick

2015-04-27 00:29:12 UTC

Patrick

2015-04-27 18:25:50 UTC

Patrick

2015-04-28 13:52:13 UTC