- Package:
- devscripts
- Source:
- devscripts
- Description:
- scripts to make the life of a Debian Package maintainer easier
- Submitter:
- Sean Whitton
- Date:
- 2025-07-21 14:09:02 UTC
- Severity:
- normal
- Tags:
Dear maintainers, uscan tries appending .asc to the tarball download URI. If that returns HTTP 200, it will say something like this: However, as can be seen from this example, uscan has appended .asc to the query string i.e. the part of the URI after the final '?' character. It is highly unlikely that this will ever be a real signature file. uscan should, in this kind of case, try the following URI: https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi.asc?src=version-history i.e. append the .asc to the part of the URI before the query string. Thanks!--- /etc/devscripts.conf ------ ~/.devscripts --- DEBCHANGE_FORCE_SAVE_ON_RELEASE=no DEBRELEASE_UPLOADER=dput DEBSIGN_KEYID=0x0F56D0553B6D411B DEB_SIGN_KEYID=0x0F56D0553B6D411B DEBSIGN_PROGRAM=gpg RMADISON_DEFAULT_URL=debian,ubuntu DSCVERIFY_KEYRINGS=~/.gnupg/pubring.gpg DEBUILD_DPKG_BUILDPACKAGE_OPTS="-us -uc"
Hi, Yes. In this case, huristics does not work. The upstream tarball filename is normally found by taking the last component of the URL and removing everything after any '?' or '#'. Problem is that some query strings contain upstream archive name after ? Use of pgpsigurlmangle is one way to avoid this problem. But let me think if there is a bit more reasonable huristics with least complication. Osamu Yah... Osamu
Hi, I made a quick fix to address this bug as attached against git head: a830277fec6cea2b4c6cba86ca3a45ceea309b06 This should not only works for default but also work for auto. Sean Whitton, what do you think of this? I will test this later this week when I find some time. Regards, Osamu PS: Writing perl code is headache for me.
Hi, I made a quick fix to address this bug as attached against git head: a830277fec6cea2b4c6cba86ca3a45ceea309b06 This should not only works for default but also work for auto. Sean Whitton, what do you think of this? I will test this later this week when I find some time. Regards, Osamu PS: Writing perl code is headache for me.
Hello Osamu, Thank you for working on this bug! In the case there is a query string you have: And in the case with no query string, you use the old code: Shouldn't there be a '$' in the first one, too?
Er, I was too tired when I wrote this. Patch LGTM, though of course needs testing. Thanks again.
control: tags -1 moreinfo thanks (FYI: https://bugs.debian.org/833012 ) I tested my updated script and fixed several loose ends. I think thought is right but I need an actual example which works with this new pgpmode=auto with "?" in URL. Your bug report isn't good enough for me to proceed. I made second guess what you were thinking and failed to find an example. If you can point me to an example debian/watch file which needs your requested feature, let me know. Here is the back ground: Since you didn't provide watch file, I am guessing from #831829, that this watch file is the one found in: $ git clone https://anonscm.debian.org/git/pkg-mozext/self-destructing-cookies.git Its debian/watch has: version=3 opts="repack, compression=xz" \ https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/versions/ \ .*/self_destructing_cookies-([0-9.]+).*[.]xpi.* \ debian The https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/versions/ is not so simple. The web page depends on the browser. With firefox, "Add to Firefox" button appears. So I looked around. This may be because this URL site has contents such as: <p class="install-button"> <a class="button download " data-hash="sha256:340d7d9a73b9b11579f75fa75b508ded5b792728b42259cf1c7aead69bc0b7f9" href="https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history" > So the watch file may be looking the match for: https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history So far it makes sense. When I checked, the recent release doesn't have "-signed" in the "Version 0.4.12" while older release has "Version 0.4.7.1-signed". Strange. Are you sure this site still provides signature file? If you add ".asc" before "?" as https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi.asc?src=version-history This URL with wget downloads the same self_destructing_cookies-0.4.10-an+fx.xpi file !!! This can't be the signature file. (Too big too) I realize the current uscan.pl code is not good for "pgpmode=auto" for another reason since it forces the downloaded signature file extension to be pgp. So the current code needs to be fixed. I already fixed this problem with your wishlist case. I need to get a working example case before committing my new change. Let me know more. Osamu
control: tags -1 moreinfo thanks (FYI: https://bugs.debian.org/833012 ) I tested my updated script and fixed several loose ends. I think thought is right but I need an actual example which works with this new pgpmode=auto with "?" in URL. Your bug report isn't good enough for me to proceed. I made second guess what you were thinking and failed to find an example. If you can point me to an example debian/watch file which needs your requested feature, let me know. Here is the back ground: Since you didn't provide watch file, I am guessing from #831829, that this watch file is the one found in: $ git clone https://anonscm.debian.org/git/pkg-mozext/self-destructing-cookies.git Its debian/watch has: version=3 opts="repack, compression=xz" \ https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/versions/ \ .*/self_destructing_cookies-([0-9.]+).*[.]xpi.* \ debian The https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/versions/ is not so simple. The web page depends on the browser. With firefox, "Add to Firefox" button appears. So I looked around. This may be because this URL site has contents such as: <p class="install-button"> <a class="button download " data-hash="sha256:340d7d9a73b9b11579f75fa75b508ded5b792728b42259cf1c7aead69bc0b7f9" href="https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history" > So the watch file may be looking the match for: https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history So far it makes sense. When I checked, the recent release doesn't have "-signed" in the "Version 0.4.12" while older release has "Version 0.4.7.1-signed". Strange. Are you sure this site still provides signature file? If you add ".asc" before "?" as https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi.asc?src=version-history This URL with wget downloads the same self_destructing_cookies-0.4.10-an+fx.xpi file !!! This can't be the signature file. (Too big too) I realize the current uscan.pl code is not good for "pgpmode=auto" for another reason since it forces the downloaded signature file extension to be pgp. So the current code needs to be fixed. I already fixed this problem with your wishlist case. I need to get a working example case before committing my new change. Let me know more. Osamu
control: tags -1 moreinfo thanks (FYI: https://bugs.debian.org/833012 ) I tested my updated script and fixed several loose ends. I think thought is right but I need an actual example which works with this new pgpmode=auto with "?" in URL. Your bug report isn't good enough for me to proceed. I made second guess what you were thinking and failed to find an example. If you can point me to an example debian/watch file which needs your requested feature, let me know. Here is the back ground: Since you didn't provide watch file, I am guessing from #831829, that this watch file is the one found in: $ git clone https://anonscm.debian.org/git/pkg-mozext/self-destructing-cookies.git Its debian/watch has: version=3 opts="repack, compression=xz" \ https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/versions/ \ .*/self_destructing_cookies-([0-9.]+).*[.]xpi.* \ debian The https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/versions/ is not so simple. The web page depends on the browser. With firefox, "Add to Firefox" button appears. So I looked around. This may be because this URL site has contents such as: <p class="install-button"> <a class="button download " data-hash="sha256:340d7d9a73b9b11579f75fa75b508ded5b792728b42259cf1c7aead69bc0b7f9" href="https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history" > So the watch file may be looking the match for: https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi?src=version-history So far it makes sense. When I checked, the recent release doesn't have "-signed" in the "Version 0.4.12" while older release has "Version 0.4.7.1-signed". Strange. Are you sure this site still provides signature file? If you add ".asc" before "?" as https://addons.mozilla.org/firefox/downloads/file/423258/self_destructing_cookies-0.4.10-an+fx.xpi.asc?src=version-history This URL with wget downloads the same self_destructing_cookies-0.4.10-an+fx.xpi file !!! This can't be the signature file. (Too big too) I realize the current uscan.pl code is not good for "pgpmode=auto" for another reason since it forces the downloaded signature file extension to be pgp. So the current code needs to be fixed. I already fixed this problem with your wishlist case. I need to get a working example case before committing my new change. Let me know more. Osamu
Hello Osamu, The -signed has nothing to do with PGP. Please ignore it. Urgh. This is a problem at Mozilla's end, I guess. Unless uscan adds a size heuristic I don't think we can work around it. Unfortunately the only cases where I saw this bug were packages obtained from addons.mozilla.org, so I don't have another test case for you.
I think I ran into this bug today. https://gitlab.gnome.org/cheywood/iotas and https://gitlab.gnome.org/World/Shortwave only publish unsigned tarballs. uscan thinks there is a .asc file present though: ``` ... uscan info: Not downloading, using existing file: iotas-0.1.16.tar.bz2 uscan info: Start checking for common possible upstream OpenPGP signature files uscan warn: Possible OpenPGP signature found at: https://gitlab.gnome.org/cheywood/iotas/-/archive/0.1.16/iotas-0.1.16.tar.bz2.asc * Add opts=pgpsigurlmangle=s/$/.asc/ or opts=pgpmode=auto to debian/watch * Add debian/upstream/signing-key.asc. See uscan(1) for more details uscan info: End checking for common possible upstream OpenPGP signature files uscan info: Missing OpenPGP signature. uscan info: New orig.tar.* tarball version (oversionmangled): 0.1.16 ... ``` The asc leads to a 404 (when being logged in to GNOME gitlab) and the login page otherwise. These are the only two cases where I had this bug (note that I do maintain a few other packages hosted at GNOMES GL instance). regards, werdahias
Hi, did you try pgpmode=none or pgpmode=next ?