Package: reprepro Version: 5.1.1-1 Severity: normal Many thanks for reprepro; I use it extensively!
In order to use VerifyRelease, reprepro at least requires using the long keyid, which are more secure against collision attacks that the short ids (e.g. https://evil32.com), but not nearly as secure as the full fingerprint. Using the full key fingerprint should at least be allowed for VerifyRelease: Name: debian-ports VerifyRelease: 58E64B9BB11BC112205DBCDB06AED62430CB581C|66571731B5A71F91C501F3FDDA1B2CEA81DCBC61 Method: http://deb.debian.org/debian-ports Error: not a valid key id '58E64B9BB11BC112205DBCDB06AED62430CB581C'! Use hex-igits from the end of the key as identifier There have been errors! Using the corresponding long keyids works fine, of course. live well, vagrant -- System Information: Debian Release: 9.4 APT prefers stable APT policy: (500, 'stable'), (210, 'proposed-updates'), (120, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf, arm64 Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages reprepro depends on: ii libarchive13 3.2.2-2 ii libbz2-1.0 1.0.6-8.1 ii libc6 2.24-11+deb9u3 ii libdb5.3 5.3.28-12+deb9u1 ii libgpg-error0 1.26-2 ii libgpgme11 1.8.0-3+b2 ii liblzma5 5.2.2-1.2+b1 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages reprepro recommends: ii apt 1.4.8 Versions of packages reprepro suggests: ii gnupg-agent 2.1.18-8~deb9u1 pn inoticoming <none> pn lzip <none> ii pinentry-curses 1.0.0-2 -- no debconf information
signature.asc
Description: PGP signature
