Package: devscripts
Version: 2.25.15
Severity: wishlist
X-Debbugs-Cc: [email protected]

Hello,

devscripts 2.25.15 fails to build when sqopv is installed. This was
somewhat addressed in commit 1b9fa5668bb2 ("Test depends on gpgv, it
fails with sopv which seems not equivalent"), but this only fixes the
problem for building in a minimal system. With both gpgv and sqopv
installed the test still fails.

The failure looks as follows then:

./test_uscan_svn
=======================================================================
*** uscan Svn test ***
=======================================================================
make[4]: Entering directory '/home/uwe/debsrc/devscripts/scripts'
make[4]: 'uscan' is up to date.
make[4]: 'mk-origtargz' is up to date.
make[4]: 'uupdate' is up to date.
make[4]: 'debchange' is up to date.
make[4]: Leaving directory '/home/uwe/debsrc/devscripts/scripts'
Using test OpenPGP key:
gpg: enabled compatibility flags:
gpg: using pgp trust model
/tmp/gpg.ZlZDQ/pubring.gpg
--------------------------
pub rsa4096 2015-09-02 [SC]
CF218F0E7EABF584B7E20402C77E2D6872543FAF
uid [ unknown] uscan test key (no secret) <[email protected]>
sub rsa4096 2015-09-02 [E]

testSvn
<dehs>
Newest version of foo on remote site is 2.0, local version is 0
=> Newer package available from:
=> file:////tmp/shunit.ih0rJG/tmp/uscan_git.a407Zr/repo refs/tags/v2.0
Cloning into bare repository '../foo-temporary.844870.git'...
warning: refs/tags/v2.0 84e540a89e840f7b33bbb1b32fe722ed73caf472 is not a commit!
No acceptable signatures found
uscan: error: sopv verify /tmp/tmp.1zCsC3rwv2/sig debian/upstream/signing-key.asc subprocess returned exit status 3
ASSERT:uscan: exit_code!=0 but exit_code=0 expected:<25> but was:<0>
ASSERT:pristine tarball not created
ASSERT:pristine tarball should be a symlink
testGitSignedTagWithDestDir
<dehs>
Newest version of foo on remote site is 2.0, local version is 0
=> Newer package available from:
=> file:////tmp/shunit.ih0rJG/tmp/uscan_git.cNsMlp/repo refs/tags/v2.0
Cloning into bare repository '/tmp/shunit.ih0rJG/tmp/uscan_git.cNsMlp/destdir/foo-temporary.845157.git'...
warning: refs/tags/v2.0 0641e5ae40ef9a57b8b3f4c5133e85504c67b52a is not a commit!
No acceptable signatures found
uscan: error: sopv verify /tmp/tmp.n0LIaUhKuI/sig debian/upstream/signing-key.asc subprocess returned exit status 3
ASSERT:uscan: exit_code!=0 but exit_code=0 expected:<25> but was:<0>
ASSERT:pristine tarball not created
ASSERT:pristine tarball should be a symlink
testGitUncompressed
Newest version of foo on remote site is 1, local version is 0
=> Newer package available from:
=> http://localhost:34271/foo-1.tar.gz
Successfully repacked ../foo-1.tar.gz as ../foo_1.orig.tar.bz2.

testRepackBZ2_GZ
testGitUpstream
testGitUpstreamSignedTag
<dehs>
uscan warn: Using upstream remote origin
Newest version of foo on remote site is 2.0, local version is 0
=> Newer package available from:
=> file:////tmp/shunit.ih0rJG/tmp/uscan_git.5r1jS4/repo refs/tags/v2.0
No acceptable signatures found
uscan: error: sopv verify /tmp/tmp.ukQki2MI54/sig debian/upstream/signing-key.asc subprocess returned exit status 3
ASSERT:uscan: exit_code!=0 but exit_code=0 expected:<25> but was:<0>
ASSERT:pristine tarball not created
ASSERT:pristine tarball should be a symlink
testGitUpstreamIgnoreExclusions
Newest version of foo on remote site is 1.0, specified download version is 1.0
No acceptable signatures found
uscan: error: sopv verify ../foo-1.0.tar.gz.asc debian/upstream/signing-key.asc subprocess returned exit status 3
ASSERT:uscan: exit_code!=0 but exit_code=0 expected:<3> but was:<0>
ASSERT:foo_1.0.orig.tar.gz missing: opts=pgpsigurlmangle=s/$/.asc/ @@@url@@@([\.\d]+)/(.+)/(.+)/ @PACKAGE@@ANY_VERSION@@ARCHIVE_EXT@ debian uupdate
./test_uscan_ftp: line 262: cd: /tmp/tmp.iqmMqFDO5F/foo-1.0: No such file or directory
ASSERT:pristine tarball is not extracted
testSvnPgpmodeDefault
dpkg-parsechangelog: error: cannot open file debian/changelog: No such file or directory
ASSERT:uscan: Version should be 1.0-1 but expected:<> but was:<1.0-1>

testWatch4NonNativeDlUversion
FTP starting ... /tmp/tmp.Pq3jwL5X0g/repo
testGitSubmodules
Newest version of foo on remote site is 1, local version is 0
=> Newer package available from:
=> http://localhost:44355/foo-1.tar.bz2
Successfully repacked ../foo-1.tar.bz2 as ../foo_1.orig.tar.gz.

testRepackGZ_GZ
testGitSubmodulesIgnoreExclusions


The problem is that `test/uscan/PRIVATE_KEY.asc` uses a SHA1 binding and Sequoia is picky about that:

$ sq cert lint < test/uscan/PRIVATE_KEY.asc
Certificate C77E2D6872543FAF is not valid under the standard policy: No binding signature at time 2025-07-31T07:34:40Z
Certificate C77E2D6872543FAF contains a User ID (uscan test key (no secret) <[email protected]>) protected by SHA-1
Certificate C77E2D6872543FAF, key BC66639052C6ED39 uses a SHA-1-protected binding signature.
Examined 1 certificate.
0 certificates are invalid and were not linted. (GOOD)
1 certificate was linted.
1 of the 1 certificates (100%) has at least one issue. (BAD)
0 of the linted certificates were revoked.
0 of the 0 certificates has revocation certificates that are weaker than the certificate and should be recreated. (GOOD)
0 of the linted certificates were expired.
1 of the non-revoked linted certificate has at least one non-revoked User ID:
1 has at least one User ID protected by SHA-1. (BAD)
1 has all User IDs protected by SHA-1. (BAD)
1 of the non-revoked linted certificates has at least one non-revoked, live subkey:
1 has at least one non-revoked, live subkey with a binding signature that uses SHA-1. (BAD)
0 of the non-revoked linted certificates have at least one non-revoked, live, signing-capable subkey:
0 certificates have at least one non-revoked, live, signing-capable subkey with a strong binding signature, but a backsig that uses SHA-1. (GOOD)

Error: 1 certificate have at least one issue

This is easily fixable by doing:

sq cert lint --fix < test/uscan/PRIVATE_KEY.asc > l
mv l test/uscan/PRIVATE_KEY.asc

Best regards
Uwe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)