Your message dated Mon, 05 Sep 2016 17:12:28 +0200
with message-id
<1473088348.2382843.716245769.4b5e9...@webmail.messagingengine.com>
and subject line Re: Bug#836560: softhsm2: short gpg ids listed in documentation
has caused the Debian Bug report #836560,
regarding softhsm2: short gpg ids listed in documentation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
836560: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836560
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: softhsm2
Version: 2.1.0-3
Severity: normal
Dear Maintainer,
Your package appears to contain commands which use a short gpg-key
ID. These have recently been identified as potential security concerns,
due to a chance that the wrong key can be imported in the case of a
forced key-ID collision [1].
The affected file is:
WIN32-NOTES.md [2]
This appears to be a set of build instructions for a windows system,
so may require forwarding to upstream, as it may not apply to the
debian-built package per-se.
Please consider upgrading to a full key ID, for example, replace the command:
eg (not specific to your package):
gpg --keyserver keyring.debian.org --recv-keys 05C3E651
becomes:
gpg --keyserver keyring.debian.org --recv-keys
0x0D59D2B15144766A14D241C66BAF400B05C3E651
(Note the tail bytes are the same)
This has previously been forwarded to the security team, who advised to
report individual public bugs against each package - hence this bug.
[1] http://lwn.net/Articles/697417
[2] debian git repository, git://anonscm.debian.org/pkg-nlnetlabs/softhsm2.git
commit 63d7b402222d72263c2dfff9ded40c4988698670
--- End Message ---
--- Begin Message ---
Control: tags -1 -security
Control: tags -1 +upstream
Control: severity -1 wishlist
Exactly the same situation - a script that's just distributed and not
used in the build nor in the resulting package. If we were to fix every
crappy file in the upstream tarball, we won't be doing anything else.
Seeing the other bug - yes I am positive on closing those as wontfix.
~~~
Seb, I understand you are trying to be helpful, but tagging a build
instructions (e.g. non-platform documentation) on Windows with
"security" seems a little bit excessive.
I am even inclined to close the bug as we distribute the file only in
the source package. You would be most welcome to fill an upstream bug.
security
This bug describes a security problem in a package (e.g., bad
permissions allowing access to data that shouldn't be accessible; buffer
overruns allowing people to control a system in ways they shouldn't be
able to; denial of service attacks that should be fixed, etc). Most
security bugs should also be set at critical or grave severity.
Cheers,
--
Ondřej Surý <[email protected]>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Potřeby pro pečení chleba
všeho druhu
--- End Message ---
