From 0106f555736c5a94052b758cc09f7ca4ac40a454 Mon Sep 17 00:00:00 2001 From: Jonathan Nieder Date: Sun, 27 Jan 2019 16:54:58 -0800 Subject: [PATCH] debian/watch: Download upstream source more securely Use https instead of http for transport for transport-layer privacy and integrity protection. More importantly, specify pgpsigurlmangle and a signing key to allow "uscan" to check that the tarball was genuinely released by Lasse Collin. Based on advice from Policy 4.11. While we're here, use the XZ compressed tarball, since it's a little smaller. --- debian/changelog | 2 ++ debian/upstream/signing-key.asc | 75 +++++++++++++++++++++++++++++++++++++++++ debian/watch | 4 +-- 3 files changed, 79 insertions(+), 2 deletions(-) create mode 100644 debian/upstream/signing-key.asc diff --git a/debian/changelog b/debian/changelog index 58db3006..d4d719b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,8 @@ xz-utils (5.2.4-0.1) unstable; urgency=low * New upstream release. Closes: #851615. + * Use an XZ compressed tarball for upstream source. + * Add upstream signing key and verify tarball at "uscan" time. * Drop patches; all were applied or otherwise fixed upstream. * Update copyright file. * debian/control: diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc new file mode 100644 index 00000000..17f5e816 --- /dev/null +++ b/debian/upstream/signing-key.asc @@ -0,0 +1,75 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBEzEOZIBEACxg/IuXERlDB48JBWmF4NxNUuuup1IhJAJyFGFSKh3OGAO2Ard +sNuRLjANsFXA7m7P5eTFcG+BoHHuAVYmKnI3PPZtHVLnUt4pGItPczQZ2BE1WpcI +ayjGTBJeKItX3Npqg9D/odO9WWS1i3FQPVdrLn0YH37/BA66jeMQCRo7g7GLpaNf +IrvYGsqTbxCwsmA37rpE7oyU4Yrf74HT091WBsRIoq/MelhbxTDMR8eu/dUGZQVc +Kj3lN55RepwWwUUKyqarY0zMt4HkFJ7v7yRL+Cvzy92Ouv4Wf2FlhNtEs5LE4Tax +W0PO5AEmUoKjX87SezQK0f652018b4u6Ex52cY7p+n5TII/UyoowH6+tY8UHo9yb +fStrqgNE/mY2bhA6+AwCaOUGsFzVVPTbjtxL3HacUP/jlA1h78V8VTvTs5d55iG7 +jSqR9o05wje8rwNiXXK0xtiJahyNzL97Kn/DgPSqPIi45G+8nxWSPFM5eunBKRl9 +vAnsvwrdPRsR6YR3uMHTuVhQX9/CY891MHkaZJ6wydWtKt3yQwJLYqwo5d4DwnUX +CduUwSKv+6RmtWI5ZmTQYOcBRcZyGKml9X9Q8iSbm6cnpFXmLrNQwCJN+D3SiYGc +MtbltZo0ysPMa6Xj5xFaYqWk/BI4iLb2Gs+ByGo/+a0Eq4XYBMOpitNniQARAQAB +tCdMYXNzZSBDb2xsaW4gPGxhc3NlLmNvbGxpbkB0dWthYW5pLm9yZz6JAlEEEwEK +ADsCGwMCHgECF4AECwkIBwMVCggFFgIDAQAWIQQ2kMJAzlG0Zw0wrRw47nV9aRhG +IAUCXERzcAUJEx223gAKCRA47nV9aRhGIMgSEACivA8+mQnVbL6mubeAMZpMr5rR +c7VanU9kC5IdC0RcMq/hcNfOJR5ncwM+JY+QCQVxAHBvHKAuHhC/r1Wl+WB6LYzD +wbVszpNdfSnUci+WLETw0BCGhPAQHuUWCMYoQEnFSLxqfjshO1CCCfGHhwkhjplG ++A5eRZua74cZoe4k05OQCwY1mynDzyw1eyYuFZb+TW2YZ3a9/L1UJ7y/BgvxZtq1 +Zllbt4NhYLZc3V1uzRhtU63+M9gL29PE8XM+9jDMrSDrna+3SiwDEJP2SlbtNuxf +W8xKtTkmdvwpbV7xBId8NvmABSQX2TfaEz9yZ1N6U6HzT95v1dsxM2us7ySCkyoQ +KS9BEfpPpsdFL1VQvfsHdU580eCkHhFxPxYxyFfxwlmSeovUlN75e60kF1Lzqagn +l6Jd3+pb/hGXd4PBz1Lrl9a1ERuZzKyMBG2ih6RRVBE7s/vrLF9+eRkjALjmTj/d +cyOaZvvWhmbQRf7d8uZoLp3zkyKsWrk/y+u3J1FmshRN4X5tF66Q0ZME/RimidGA +reiFZ3iTILNu3xd8oMIPENY/KVX7j/HZFGbOIpKAKqHiJEgX2vub5CVSBuXp/M0a +17FJ9l8puy6hH0hlDLplRk4SbzvrALh2GK6pOpFJCm6xPto/wOdlL+l/lgwOHqRC +DxfB4ErQGEn3qlp3jIkCOAQTAQIAIgUCTMQ5kgIbAwYLCQgHAwIGFQgCCQoLBBYC +AwECHgECF4AACgkQOO51fWkYRiAg4A/7BXKwoRaXrMbMPOW7vuVF7c2IKB2Yqzn1 +vLBCwuEHkqY237lDcXY4/5LR+1gcZ3Duw1n/BRSm0FBdvyX/JTWiWNSDUkKAO/0l +T2Tg44YLrDT3bzwu8dbU9xQt6kH+SCOHvv5Oe4k79l5mro6fF3H1M0bN63x/YoFY +ojy09D7/JptY82oR4f/VdKnfZLJcCViCb0wp8SD2NkDAudKg+K+7PD8HlTWklQQg +TZdRXxVZKIJeU42aJDqnRbAhJd64YHyClhqut9F5LUmiP5qfLfNhkKDhNOwk2Blr +BGBJkSd7wPyzcX4Mun/L6YspHjbeVMt9TD7HQlo+OOd2OjAHCx6pqwkXnzeLPEaE +cPdQ1SHgrBViAxX3DNPubLP0Knw8XwFu96EuhHZgexE1W7bB4LFsJyXAc5k1PqPD +CLsAauxmvI2OfI7opG/8wyxDvNgoPjG8fZNAgY0REqPC0JnTXChH31IxUmhNotH8 +tD3DDTZOHw05n5MwwUrEE9xiETVDfFQcMLfxZ9KLz+BC2g1t5LYublRgnCMNJzFg +sNUMM02CphABzl/LCLnumr0eyQQ/weV4twEhLwSDmqLYHL0EdYW0Y3CnnU9vmYxQ +cXKbstS71sEJJYBBmSBbf9GxkOY8BRNtwVwY0kPgxv1WqdVBiAFvfB+pyAsrax9B +3UeB7ZSwRD6JAhwEEAEKAAYFAlS25GwACgkQlbYYGy0z6ew92Q//ZA9/6piQtoW4 +PwP/1DtWGyKU8hwR+9FG669iPk/dAG+yoEJtFMOUpg/FUFmCX8Bc4oEHsCVyLxKt +DcCVUIRcYNSFi5hTZaBEbwsOlDT37gtlfIIu34hhHRccKaLnN/N9gNMNw8wGh9xg +Q/KtxZwcbk/bZIlDkKTJkFBRAekdEGAFDWb/AZOy+LQxS8ZAh1eWkfV0i8opmK9k +gPXtLE0WSsqtYyGs58z+BFE9NH3tEUwK6jSvtuLwQl4UrICNbKthcpb8WwH6UXzb +q3QNSYVOpf/cqRdBJA6bvb/ku/xyKVL08lGmxD9v1b137R7mafDAFPTsvH2Mt/0V +YuhtWav3r1Bl9QksDxt2DTS8wiWDUBetGqOVdcw7vBrXPEWDNBmxeJXsiJ7zJlR+ +9wrJOm6RV2+l1IPxu96EaPS+kTNBijKrhxb67bww8BTEWTd0wcdJmgWRkM8SIstp +IKqd0L2TFYph2/NtrBhRg+DIEPJPpSTGsUMcCEXCZPQ+cIdlQKsWpk0tZ62DlvEl +r7E+wgUSQolRfx5KrpZifiS2zQlhzdXv28CJhsVbLyw5fUAWUKIH/dCo5NKsNLk2 +Lc5DH9VWnFgxAAtW290FqeK/4ulMq7Vs1dQSwyHM2Ni3QqqeaiOrh8gbSY5CMLFN +Y3HYRwuTYPa3AobsozCzBj0Zdf/6AFe5Ag0ETMQ5kgEQAL/FwKdjxgPxtSpgq1SM +zgZtTTyLqhgGD3NZfadHWHYRIL38NDV3JeTA79Y2zj2dj7KQPDT+0aqeizTV2E3j +P3iCQ53VOT4consBaQAgKexpptnS+T1DobtICFJ0GGzf0HRj6KO2zSOuOitWPWlU +wbvX7M0LLI2+hqlx0jTPqbJFZ/Za6KTtbS6xdCPVUpUqYZQpokEZcwQmUp8Q+lGo +JD2sNYCZyap63X/aAOgCGr2RXYddOH5e8vGzGW+mwtCv+WQ9Ay35mGqI5MqkbZd1 +Qbuv2b1647E/QEEucfRHVbJVKGGPpFMUJtcItyyIt5jo+r9CCL4Cs47dF/9/RNwu +NvpvHXUyqMBQdWNZRMx4k/NGD/WviPi9m6mIMui6rOQsSOaqYdcUX4Nq2Orr3Oaz +2JPQdUfeI23iot1vK8hxvUCQTV3HfJghizN6spVl0yQOKBiE8miJRgrjHilH3hTb +xoo42xDkNAq+CQo3QAm1ibDxKCDq0RcWPjcCRAN/Q5MmpcodpdKkzV0yGIS4g7s5 +frVrgV/kox2r4/Yxsr8K909+4H82AjTKGX/BmsQFCTAqBk6p7I0zxjIqJ/w33TZB +Q0Pn4r3WIlUPafzY6a9/LAvN1fHRxf9SpCByJsszD03Qu5f5TB8gthsdnVmTo7jj +iordEKMtw2aEMLzdWWTQ/TNVABEBAAGJAjwEGAEKACYCGwwWIQQ2kMJAzlG0Zw0w +rRw47nV9aRhGIAUCXERzXAUJEx22ygAKCRA47nV9aRhGIDqVD/46sXUGfW5A2dP5 +vk9d0zTERwUAvgzZfZJWTJ38AERiqCbFLonVbqMF4Yj2rCat50nSVvI8UnHO61qT +SWB/nwdCjTgmHl4N/hhplWSnY/+OcMOgHJ7MF3w7aBvCZqgVN6h/2w2oUCI18KHF +/KkoWu66DrqWhOzWP0feI3UCgLuzZP7KJ6oE6yv3w0I8vV/2G4Mm7HSgstLur5vZ +yO/MyiV/x2OR33H25HhwHEzZMm0vO+EAR4FWcLqX/70rv5Qy4QY0aLSC5EvY3X9Q +4P0QxiEjmRsGgm7dh03Pxbr01JH5sIW6gnrCs0oxmdnLt8XyMYkvGdUdllVUe1XX +0UT6buHetWNOv6RoS9g0E+GEI7I7qEl7x9z7rB3AWwOU6FFteggBFfXI/AmRIfBg +/NUdM4Co1sIjyyyQcGgIYiq9MvyGRSey9/td9yaQpB02oITfyqwShRY3a2CnXr6l +nW4uwa0LrNA6eBDVub0GLADvJiqwagt8uJqSBq8aGQgn9xhPUptKJlwKfKYHVdVS +n95tAusFKQ9ECgW3Tteu76pmwBhgtieWqcW+fzI04+nDD2xSozlEaEoaDHD4Ti70 +wW3VWzUd2E6HDlWw+uG7Ll9E/O7fCsZ2obEIUWRjzQKb1992CcfUb/kuwF2CtAVV +aGKSZLbWRS47D8RFJS+CAn6a3TqNLQ== +=TZ8V +-----END PGP PUBLIC KEY BLOCK----- diff --git a/debian/watch b/debian/watch index 6352a9cc..c2537b28 100644 --- a/debian/watch +++ b/debian/watch @@ -1,3 +1,3 @@ version=3 -opts=dversionmangle=s/\+\d{8}$// \ -http://tukaani.org/xz/xz-([\d.]*(?:beta)?)\.tar\.gz +opts=dversionmangle=s/\+\d{8}$//,pgpsigurlmangle=s/$/.sig/ \ +https://tukaani.org/xz/xz-([\d.]*(?:beta)?)\.tar\.xz -- 2.11.4.GIT