Your message dated Tue, 11 Jul 2017 11:20:22 +0000 with message-id <[email protected]> and subject line Bug#781595: fixed in xdeb 0.6.7 has caused the Debian Bug report #781595, regarding xdeb: disables apt's signature checks to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 781595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781595 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: src:xdeb Version: 0.6.6 Severity: grave Tags: security According to xdeb's documentation it uses apt to download source packages and defaults to using the system's sources.list, that is usually remote repositories. However xdeb disables apt's signature checking: +--- | apt_pkg.config.set('APT::Get::AllowUnauthenticated', str(True)) +---[ http://sources.debian.net/src/xdeb/0.6.6/aptutils.py/?hl=159#L159 ] I assume (but did not verify) that this means xdeb will not complain about a compromised remote repository and build potentially malicous packages. Ansgar
--- End Message ---
--- Begin Message ---Source: xdeb Source-Version: 0.6.7 We believe that the bug you reported is fixed in the latest version of xdeb, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Loïc Minier <[email protected]> (supplier of updated xdeb package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 11 Jul 2017 13:04:29 +0200 Source: xdeb Binary: xdeb Architecture: source all Version: 0.6.7 Distribution: unstable Urgency: low Maintainer: Wookey <[email protected]> Changed-By: Loïc Minier <[email protected]> Description: xdeb - Cross-build tool for Debian packages Closes: 781595 Changes: xdeb (0.6.7) unstable; urgency=low . [ Colin Watson ] * Use next(iterator) rather than iterator.next(). * Use "key in dict" rather than "dict.has_key(key)". * Make code style more or less conform to PEP-8. * Simplify utils.file_on_path. * Use dict.items rather than dict.iteritems to simplify porting to Python 3; the performance impact should be negligible here. * Simplify sorting in various places by relying on the default iteration protocol for mappings. * Use io.StringIO if cStringIO.StringIO is not available. * Rephrase MyPkgRelation.parse_relations using list comprehensions: arguably clearer, and works in both Python 2 and 3. * Adjust GraphCycleError.__str__ to work in Python 3. * Drop support for debian_bundle from python-debian (<< 0.1.15). * Use configparser rather than ConfigParser if available. * Remove __pycache__ directories on clean. * Pass universal_newlines=True to subprocess.Popen to get Unicode output in Python 3. * Suppress pychecker warnings from the standard library. * Set source format to 3.0 (native). * Canonicalise the path to the GPL text in debian/copyright. * Set [trusted=yes] for our local repository, and enable APT authentication otherwise (closes: #781595). * Use context managers where appropriate. . [ Loïc Minier ] * More PEP8 fixes. * pyflakes fix. * Run pyflakes as part of testsuite if it's available. * Run pep8 as part of testsuite if it's available. * Fix pychecker warning in tests. * Run pychecker as part of testsuite if it's available. * Test that we're running pychecker on all *.py files. * Also run pychecker on tests. * Clean __pycache__ in Makefile rather than debian/rules. * Bump Standards-Version to 4.0.0. * Remove myself from uploaders. * Bump Debhelper compat level and build-dep to 10. * Build-depend on dh-python. * Remove Colin Watson and Steve Langasek from Uploaders with their agreement. * Add .pm suffix to checks/xdeb. * Use Lintian::Util instead of Util in Lintian check. * Updated to latest Lintian checks API, except for tag suppression which would need to be ported to Lintian profiles. * Fix ARM file magic detection (allow for "EABI5"). Checksums-Sha1: 5feac2c471947790b03fea30459bc42a791e1cf9 1450 xdeb_0.6.7.dsc 9e6e61d13f9182fd4461e17dfe553d74db6b2fdf 44436 xdeb_0.6.7.tar.xz e8acb335113cb66934e5c07f4082e16f39cb40b6 36134 xdeb_0.6.7_all.deb dccb7f7b918ec8bcb654dc5612c4553cdd297b92 5863 xdeb_0.6.7_amd64.buildinfo Checksums-Sha256: 0b9d71ddef6cbb2f445b90db7a080d1bc42580e3f4bf2544a90096f9b22ac68d 1450 xdeb_0.6.7.dsc 10af024b6d5cbefddbfb10437023febf77fd0ba44c1d2162f6735290532058d5 44436 xdeb_0.6.7.tar.xz 99fc4287049b99808b60a4c2e42fa4d80ab368f28d0ed46e215a4034e9874383 36134 xdeb_0.6.7_all.deb 8c49cdbf523468d27a72c3223faf6e74d832dd65f5df43dd011cc3ab6923e406 5863 xdeb_0.6.7_amd64.buildinfo Files: 218d382ef4bfc4b1741e7c6087519d6e 1450 devel optional xdeb_0.6.7.dsc 6b4268e066fe2e419f69a1747bd62768 44436 devel optional xdeb_0.6.7.tar.xz 31a2f9088ec6d3c2193bbc0ef86b2683 36134 devel optional xdeb_0.6.7_all.deb 2de8f449842672afb1791ca2f8a2c90d 5863 devel optional xdeb_0.6.7_amd64.buildinfo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJZZLF2AAoJEPEUCEwIYRERp+IP+gJty5jD7WD8s6iSeh9fW9t6 ZhHK9bufnjQWFzbX8vaQQQADTGnUDd1Pr1Lb1HzmSZzRUR+dCIyHIwP+dSGCBfRp vNHf7A7Aj0fMtg9x56mZBpTwKDcQ9YkljHBRofMTIZNlrBv+jhBxlQlVourT24Ev I0vgA6WWYhSDv14IilJO436hwnFB4NLEH5aoGSFoG1L+MI8LPzK4riiDCSeIL4xK Q7iu/D0wjZDcknArRbP/AmGYWewp7FiX4GfoUkPeKavsw1PlEz4dJOg31JmowLMm vHGkBXkUXVC1dxWNGA01VK6E04CypWS2NNYOg/WC2lnD/E+qKtpIN1+KIxRZUsIO PqycTdKsHcuB6XDN3EDHlUa02bi2GI9uQu+ySjDSpi0TwX0yufkFkKhGTfMdkuZN DrA76RRnBgXxAiywMPZtl+ULE/goDV1BYROMi0wmX9SOeNKvsc9NAwLa1hnyzOMB NzEIuZMAtqX/CZ1RhZWR+UpdXM0j0wO79sRksb1ZL9Mu1P/07dF4JaF3ByBlOcB+ QWye+9POlrejnEzFToGj9XMPM3C61kEJ+TZ9hu5zN4AxrL/RpOM62I7T1Zg69Gk/ 62TH9lR/Iy+cwquPKvuRaxw8m0zve7ySKAl3mmHhU4SY8g/AffEBksIPnx7qkmB8 oV2PU+IRgiXzgfTXIAIM =zb89 -----END PGP SIGNATURE-----
--- End Message ---

