Page MenuHomePureOS Tracker

lintian: relax email address requirement in Change-by check
Open, NormalPublic


We currently have this in gitlab-ci:

E: librem5-ci changes: changed-by-invalid-for-derivative Librem5 CI <> (should use email addresses)

This got me thinking if it makes sense at all. Shouldn't we relax that (maybe mark as info or pedantic) since community contributors would hit the same problem even when it's a sponsored upload by someone with archive access?

Event Timeline

guido renamed this task from lintian: relax email address requirent in Change-by check to lintian: relax email address requirement in Change-by check.Sep 10 2021, 01:07
guido created this task.
jeremiah.foster assigned this task to mak.Sep 22 2021, 08:15
jeremiah.foster triaged this task as Normal priority.
jeremiah.foster added a subscriber: jeremiah.foster.

This is a good question. Since it affects security in the archive I'd like to have consensus and have Matthias' view.

guido added a comment.Sep 22 2021, 10:16

It's not a rejection reason (afaik Laneakia doesn't reject based on linitan errors yet) so likely not security relevant or am i missing something?

Won't users have to sign the package with their email address? So won't the email address have to be in the keyring? Or is there a workaround?

guido added a comment.Sep 23 2021, 07:52

The linitan check is about the fields in d/control. I doesn't care who signs/uploads the package later on.

jeremiah.foster added a comment.EditedSep 23 2021, 13:13

Oh I see. This means that d/control email address can be arbitrary but the uploading key must be in the keychain. Thanks for the clarification. In such case we ought to mark it as pedantic (or just info) in Lintian.

mak added a comment.Sep 25 2021, 11:08

To me, this Lintian check actually makes little sense. The one for Maintainer is important, so the maintenance status is reflected in the modified package, but Changed-by could be any address. When Zlatan and I created the project, the initial goal was explicitly to get the community involved and have people outside of Purism contribute. That didn't really work out, but by limiting change authors to people with an address we make this even less likely and also make the project look a lot more like a Purism inside job than is good for it ;-)

So, IMHO we should either drop this check or relax it quite a bit (to pedantic or lower...).