On Sun, Sep 25, 2016 at 04:46:55PM +0200, Salvatore Bonaccorso wrote:
> Hi Adrian,
>
> On Sun, Sep 25, 2016 at 05:16:18PM +0300, Adrian Bunk wrote:
> > On Sun, Sep 25, 2016 at 03:44:14PM +0200, Salvatore Bonaccorso wrote:
> > > Hi Adrian,
> >
> > Hi Salvatore,
> >
> > > On Sun, Sep 25, 2016 at 07:01:49AM +0300, Adrian Bunk wrote:
> > > > Package: security.debian.org
> > > > Severity: minor
> > > >
> > > > https://lists.debian.org/debian-security-announce/2016/msg00256.html
> > > >
> > > > "Tuomas Räsänen" - that name is not displayed properly due to lack
> > > > of an email header for the charset of the contents.
> > > >
> > > > Something like
> > > > Content-Type: text/plain; charset=utf-8
> > > > is missing.
> > > >
> > > > I don't care about this past DSA, but it would be nice if you could
> > > > fix that for future DSAs.
> > >
> > > Thanks. I have added accoring notes to our documentation, when the DSA
> > > text needs to contain non-ASCII charset
> >
> > thanks.
> >
> > > (although the standard is
> > > still, that since we need to GPG sign inline, to use only ASCII
> > > charset).
> >
> > What is the problem?
> >
> > This email contains both an inline signature and the string "Räsänen".
> > Is anything about that not working properly?
>
> It was, AFAICR, to avoid problems like in the thread starting at
> https://lists.debian.org/debian-security/2010/05/msg00001.html . But
> maybe we can consider that not beeing a problem anymore.
#580896 is still open and (as expected) I was able to reproduce it with
Sylpheed 3.5.1-1+b1 in unstable.
So with inline signatures your choices are:
- use only ASCII in DSA announcement emails, changing names of people to
ASCII variants. or
- use UTF-8, and document in the FAQ that Sylpheed has a bug that might
sometimes result in wrong signature reported for users using non-UTF-8
locales. [1]
> In any case thanks again for your report, with our documentation
> updated it hopefully should not happen on future DSAs.
>
> Regards,
> Salvatore
cu
Adrian
[1] DSA 2040-1 was using charset=iso-8859-1 in the header, but using a
buggy MUA and not using a UTF-8 locale should keep the number of
affected users as small as possible (the whole signature checking
in Sylpheed is also more a hack you have to copy from the
documentation than a properly supported feature)
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
