Your message dated Mon, 05 Sep 2016 00:53:52 +0000
with message-id <[email protected]>
and subject line Bug#836553: fixed in poretools 0.6.0+dfsg-1
has caused the Debian Bug report #836553,
regarding poretools: short gpg key used in script
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
836553: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836553
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: poretools
Version: 0.5.1-1
Severity: important
Dear Maintainer,
Your package appears to contain commands which use a short gpg-key
ID. These have recently been identified as potential security concerns,
due to a chance that the wrong key can be imported in the case of a
forced key-ID collision [1].
The affected file is:
Dockerfile [2]
Its not clear to me that the affected file is actually used in the build
script, but it may be referenced somewhere in the package
Please consider upgrading to a full key ID, for example, replace the command:
gpg --keyserver <keyserver> --recv-keys <key_short_fingerprint>
with
gpg --keyserver <keyserver> --recv-keys <key_full_id>
eg (not specific to your package):
gpg --keyserver keyring.debian.org --recv-keys 05C3E651
becomes:
gpg --keyserver keyring.debian.org --recv-keys
0x0D59D2B15144766A14D241C66BAF400B05C3E651
(Note the tail bytes are the same)
This has previously been forwarded to the security team, who advised to
report individual public bugs against each package - hence this bug.
[1] http://lwn.net/Articles/697417
[2]
http://http.debian.net/debian/pool/main/p/poretools/poretools_0.5.1.orig.tar.gz
--- End Message ---
--- Begin Message ---
Source: poretools
Source-Version: 0.6.0+dfsg-1
We believe that the bug you reported is fixed in the latest version of
poretools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Afif Elghraoui <[email protected]> (supplier of updated poretools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 04 Sep 2016 17:04:55 -0700
Source: poretools
Binary: poretools
Architecture: source
Version: 0.6.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team
<[email protected]>
Changed-By: Afif Elghraoui <[email protected]>
Description:
poretools - toolkit for nanopore nucleotide sequencing data
Closes: 836553
Changes:
poretools (0.6.0+dfsg-1) unstable; urgency=medium
.
* Imported Upstream version 0.6.0+dfsg
- Update package dependencies
* Reformat debian/watch
* Exclude Dockerfile and windows executables from source distribution
(Closes: #836553)
* Update email address and copyright year
* Bump Standards-Version
* Use encrypted protocols for Vcs URLs
Checksums-Sha1:
5dc194a4fc8d2bb50bf556c55faa7fdbd22074f7 2076 poretools_0.6.0+dfsg-1.dsc
791068315b8110d4f2c29d429ac67b1792971653 68116283
poretools_0.6.0+dfsg.orig.tar.gz
363ccae9132f229499797e2f1c006ea4c78a8fb1 2648
poretools_0.6.0+dfsg-1.debian.tar.xz
Checksums-Sha256:
a96edd3f2829dce2ef76ff63d49054c2bc62f61973e06ce36961f67c4659b513 2076
poretools_0.6.0+dfsg-1.dsc
ee7e0f9526bc533e04851ee5d873675a42b0566c0bfdc8d5808ff989bf79f8b7 68116283
poretools_0.6.0+dfsg.orig.tar.gz
70f1457afddc46c27e3170d2de59a2e39ca4702a1ae76729691f852d3e4e17fb 2648
poretools_0.6.0+dfsg-1.debian.tar.xz
Files:
8a82abb9b31cc7afc212b1d9043ae455 2076 science optional
poretools_0.6.0+dfsg-1.dsc
9a71cb4a50cafbfb7711134c904051c1 68116283 science optional
poretools_0.6.0+dfsg.orig.tar.gz
e318d19ca6bac50acb2c77f15a8f022f 2648 science optional
poretools_0.6.0+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXzLcFAAoJEFmyMG86+d3Bqb8P/0gbYZoQWNVzRBhm2avvPkCP
EvKx4q9S8qmjRW83z4In4ojzimuJgGpFTMrWrRFRBNfOS0LMP7k+s86nEv1fNWh7
k8mg89uUb9iMKe5wtSWaeTz4ge/zXwB1scgl996M2qLuhmpJbB/cK/mwBnX9qkMy
bHOokle90wPyTqOir8Wg8t5NHfGplA6HUs45YLt0bfrQdKD7OxfVyWjTlEOPwBMo
WTxjboSft4eI2O41S3vNRtzA1iUhSFfCx7fHA2BoFXNDywYziRqrt58pr2fjaCLY
vqLgf1jJPXghJwH3eRkmzgOWWWBPJJvgcy6VQwBy3F/zJM6LQnO/xYwCMGuZr4vI
8+hxg6CstxvQY881Osyg5zEAAJyAzbGwczzXV/HKu+8EDGptqsen44NPezXRCgxM
4nuoL088CF/osq2fed859V7bQOB3wUrZxje7v9dpHx1Bz1sX3Nst7HiDtAfEhme+
2EBl1RvEeZuxehcma4iaEkfQ6D97ofxJTUxjlLWv4wUTqiVGRYInfgSWaILcN8og
Ou549GSX71YldnBQCOeLF1jlWdyAuyopMLreXJ/Lhbh5VWxhdKDbKJFSl6E6y8Rr
O5LQxwQBHS88HGbWbTsHTVv4oa7GM6bXvqi6EPEdUSdikwFGE3quTEm9AR3frIhu
Sct5JMpGpxAhMP1b8I2H
=I69W
-----END PGP SIGNATURE-----
--- End Message ---
