Source: softhsm2 Version: 2.1.0-3 Severity: normal Dear Maintainer,
Your package appears to contain commands which use a short gpg-key ID. These have recently been identified as potential security concerns, due to a chance that the wrong key can be imported in the case of a forced key-ID collision [1]. The affected file is: WIN32-NOTES.md [2] This appears to be a set of build instructions for a windows system, so may require forwarding to upstream, as it may not apply to the debian-built package per-se. Please consider upgrading to a full key ID, for example, replace the command: eg (not specific to your package): gpg --keyserver keyring.debian.org --recv-keys 05C3E651 becomes: gpg --keyserver keyring.debian.org --recv-keys 0x0D59D2B15144766A14D241C66BAF400B05C3E651 (Note the tail bytes are the same) This has previously been forwarded to the security team, who advised to report individual public bugs against each package - hence this bug. [1] http://lwn.net/Articles/697417 [2] debian git repository, git://anonscm.debian.org/pkg-nlnetlabs/softhsm2.git commit 63d7b402222d72263c2dfff9ded40c4988698670
