Backporting Using Prevu
The prevu package is used to automate the backporting of packages from the current development release of Ubuntu to a stable release. It is pretty simple to use but there are a couple of gotchya's caused by scripts it calls on in the devscripts package that require workarounds:
- dscverify doesn't check Ubuntu archive digital keys when verifying source package signatures, thus causing it to fail
- dscverify fails with some development packages because they are signed by an individual developer's key, not the Ubuntu archive or master key.
The first issue will cause:
dscverify: can't find any Debian keyrings
The fix is to add
/usr/share/keyrings/ubuntu-archive-keyring.gpg /usr/share/keyrings/ubuntu-master-keyring.gpg
to the list of key-rings checked in the devscript /usr/bin/dscverify'
I've posted debdiff patches to the bug report on Launchpad for this: Bug #228296: dscverify does not find Debian keyring
The second issue is solved by adding a custom setting to ~/.devscripts configuration:
DSCVERIFY_KEYRINGS=~/.gnupg/pubring.pgp
This causes dscverify to pass the user public key-ring to gpg.
Now, when a package key can't be found in the public keyring its ID can be used to import the key into the user key-ring:
gpg: Signature made Sun 03 Aug 2008 11:51:28 BST using DSA key ID 1F41B907 gpg: Can't check signature: public key not found gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 1F41B907
Now the package signature should verify from the new public key in the user key-ring.
