Page MenuHomePhabricator

genmkfile lintian debian-watch-may-check-gpg-signature build issue
Closed, ResolvedPublic


This is currently breaking builds of Whonix on Debian jessie, because lintian is reporting this issue, genmkfile detects it and breaks the build.

P: anon-apt-sources-list source: debian-watch-may-check-gpg-signature
N:    This watch file does not include a means to verify the upstream tarball
N:    using cryptographic signature.
N:    If upstream distributions provide such signatures, please use the
N:    pgpsigurlmangle options in this watch file's opts= to generate the URL
N:    of an upstream GPG signature. This signature is automatically downloaded
N:    and verified against a keyring stored in
N:    debian/upstream-signing-key.asc.
N:    Of course, not all upstreams provide such signatures, but you could
N:    request them as a way of verifying that no third party has modified the
N:    code against their wishes after the release. Projects such as
N:    phpmyadmin, unrealircd, and proftpd have suffered from this kind of
N:    attack.
N:    Refer to the uscan(1) manual page for details.
N:    Severity: pedantic, Certainty: certain
N:    Check: watch-file, Type: source

Previously the watch file has just been added to to fix the [--pedantic?] lintian warning, that there is no watch file at all. So we can say, the package is --pedantic lintian clean, i.e. has zero lintian warnings to shorten discussions about that and to make packaging "complete".

We don't really need the watch files for Whonix currently since we're upstream and packages in one person and not using such a notification mechanism.

I am wondering about which fix would be appropriate. Possibles routes:


Making lintian fail open.

export make_use_lintian=open

Or not using lintian.

export make_use_lintian=false



Event Timeline

Patrick raised the priority of this task from to High.
Patrick updated the task description. (Show Details)
Patrick set Impact to High.
Patrick added subscribers: Patrick, HulaHoop, nrgaway and 2 others.

I had to force disable lintian to compile jessie,

sed -i "s/make_use_lintian=\"true\"/make_use_lintian=\"false\"/g" "${WHONIX_DIR}/build-steps.d/1200_create-debian-packages"

I initially tried just to uninstall lintian cause your bash makefile script had the option to do so, but when I did that there was some error that it was expecting lintian

I have not got to the point where build is successful, as I am getting stuck on 1700_install-packages (broken packages)

It's a different issue. Found a related issue and fixed it: T279

Lintian quick fix ticket: T280

Lintian real fix ticket: T281

I would like to limit this ticket on how to actually solve debian-watch-may-check-gpg-signature. Any idea?

Patrick lowered the priority of this task from High to Normal.Apr 27 2015, 12:48 AM
Patrick changed Impact from High to Normal.
  • Our debian/watch files are broken anyhow. (uscan does no longer work with them. Probably because github changed something.)
  • We're not providing tarballs and/or detached OpenPGP signatures for packages. Only signed git tags.
  • uscan does not support [signed] git [tags] (yet?).

So rather than going in circles trying to fix this, unless someone wants to contribute a better solution (patches welcome!), my current plan is only a workaround, to rather add a lintian overwrite to all packages.

Patrick claimed this task.

all packages: added debian/source/lintian-overrides with debian-watch-may-check-gpg-signature to fix lintian warning -