Package: release.debian.org Severity: normal User: [email protected] Usertags: pu
The emdebian-archive-keyring package in jessie contains the old key which was revoked when the emdebian server was compromised in November 2014. A new server has since been set up and a new key used for the cross-toolchain/cross-building archive which is still hosted there. This is the recommended way to get cross-toolchains installed for jessie (for pre-built architectures): https://wiki.debian.org/CrossToolchains#For_jessie_.28Debian_8.29 This is made much harder than it should be because manual key downloading and checking is needed due to this package (version 2.0.4) being essentially useless in jessie. The 2.0.5 version in testing really should be in jessie too so that people would have a convenient authenticated route to using the jessie cross-toolchains archive. AIUI I do not need to do a new upload if the package containing just the necesary fix is already in unstable/testing. That is the case here. Attached is the diff for 2.0.4 -> 2.0.5 (Note: I will be offline until 5th Sept - not sure what the schedule for the next stable release is) -- System Information: Debian Release: 7.8 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru emdebian-archive-keyring-2.0.4/0x97BB3B58.txt emdebian-archive-keyring-2.0.5/0x97BB3B58.txt --- emdebian-archive-keyring-2.0.4/0x97BB3B58.txt 2014-11-27 09:26:06.000000000 +0000 +++ emdebian-archive-keyring-2.0.5/0x97BB3B58.txt 1970-01-01 01:00:00.000000000 +0100 @@ -1,36 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1 - -mQGiBEY1QygRBACUM8ypZIqJu1O/jjmZJ2XmVHPUMygzcAOXfOsfLBaIz5UmYOCc -22iFN5Milj4hEpgrVnyGgXZh1vA2xbxGZNdjMfge7z0Bvf93RM6gzVnU4EXWu4sW -4nfyPH28/ChsA89mXFnS99zqsRfZNYjQdRCH4LByP7AnXojKU3gq1b4ydwCgzzBV -izehffV2lW7LDv9NhMePhzMD/0mrIUPfCvp0wKXRSHuYaLZiuoI6gV4HrAxLqeo9 -+GXfBb6n6Fpl52fRGbBAtatZ9wDVJi8v7kFQTvX3vcYGYVKmjJBT2aOx7ZhYNXV2 -lncL6e8+b8gG8f+asV2JbdpZCR4KiDyko6VCWZswqpKytrgK+hK+ECS5Mre1Oy+Z -RuaFBACJcxP4h4M0J1vY0wzlXUw81u+BNJkGanW57JIsP/mwvR4MqLfyi7tAmuPX -L6/aWsLvLGYZlFJynZ+1mXXoRUevCGcEc9gK/dpTKVYLRsS0TtNXwaY4hwF7QpBb -gh6Bx/TDBHYjADaYu2EZcwFI29kgwAfwAfyabB/hCfKHT12D5ohJBCARCgAJBQJU -cueVAh0CAAoJELW3cgCXuztYfq0An07hWjCfb5DuCbWVYyF1Q/j56gBmAJ9x33CB -dPq3IxPOiL3MdLh8tv1H07QcRW1kZWJpYW4gQXJjaGl2ZSBTaWduaW5nIEtleYhg -BBMRAgAgBQJGNUMoAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQtbdyAJe7 -O1gTpgCgv5hYIBB7STKXAzNkQzhDzvMrJM4AoMABwK3Q948TDKFKIWu2yDJ9KAjB -iEUEEBECAAYFAkY3M/4ACgkQIWclcBdP7jX7HwCcDWmGKUTkRA+GA3d81BW7lwRz -SPgAmL2SVYU8VK+TpwLzUbWn2EGkBUWIRgQQEQIABgUCRjZfwwAKCRCIAQlKKLyz -45evAJ4qfetNIo1MWcqM8rA6OyN0vkFV/ACg8/5CZw4oLOHuq4+WIbbpHDiV37SI -RgQQEQIABgUCRjZf2QAKCRCTsNWvqJf9AsixAJ9e3zbMLmBxi0dZng3MmiBF0ex6 -qgCcDWGwW16fPG+XN28ewH8k+WSoS0u5Ag0ERjVDKhAIAMPHsF7MCR/bgzmznXVX -V1QuIDHR9NTAGqFiaGMBKK26rHSN8Wds3zPWR/MBvkCknn9MwW2a4B7Vrdz9RAg3 -cUYmSYbHBNDtCTV8b14fNAoc3nsjblgZ+/+0zDvR9ZNv3cUBaCqJ1hlZqZbOWi1X -PTv2r2CRe2A6q9oGj54NmpSIO7EcH2yYcx0GTafY4ZDqZha3kmzLSq1gh2s5kph9 -NyB2pBu31pY3PDPKkxE6+ZAWb6oHZUaKOtr4aXnqLxYzSi6Wv3kS5xXS+ZbCv5lz -/KlTTIlLRm86wvwRnqGqjBGH4knyB+VKtxlR/T+aRQxCMSIICYzpfvM+O8a+hH9Z -+zMAAwYIAMFAqo9dmRfc7BPLhRxb9erSaEhxb05lwiDyzPP6B5hcK8t8S/L4k9Hw -OXoYfnR7/GqUjSj4dYZ5uLlTLOASMpv+5Yq4EmPhuqKWM7MAK0uQXVsxSktswNHE -Hb5c3H8VfQJvpUdelnJdSfqttKvz9Cm1rtPRKylIK/naQJlZ5XxuAcV+PDcWOHq6 -B2uV2aG5CGT2yVM9VjxIkMLBPGXxPjPIKKZky1TTdOdQdGvSyNOu4gd0o+4i07IZ -SXBsHarFPTKGoAZ+YsKRJ3ODAKeKnYXIQQf/OmmHdkKOfRkVDogZyKHVhSNVEOZ4 -NyZwbjXc8FtKGOUYvXcpjuxqzqRckteISQQYEQIACQUCRjVDKgIbDAAKCRC1t3IA -l7s7WNO0AJ0aws9mKLgL0CQKvAKs5UBmpgATXQCfdqJCUVSEsRcihgP8VfOpPeXm -0Vs= -=aGyf ------END PGP PUBLIC KEY BLOCK----- diff -Nru emdebian-archive-keyring-2.0.4/1804772E.txt emdebian-archive-keyring-2.0.5/1804772E.txt --- emdebian-archive-keyring-2.0.4/1804772E.txt 1970-01-01 01:00:00.000000000 +0100 +++ emdebian-archive-keyring-2.0.5/1804772E.txt 2015-07-15 17:51:31.000000000 +0100 @@ -0,0 +1,41 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.12 (GNU/Linux) + +mQINBFRzvWoBEADS5HZrevpar6R5w0eirYqZc4LfqN4L1aR96HaUu7o9py62IbKC +v+27YD9vD7x1G04AfCru9qxGdHtvaRefdgvS3ek4cKe7R90g0MY+kccmmHYdIIRO +2LE+0lG7PiaKorn0QbeJfQzTzwEAG6agG0kVHODOTI5z/OeTCNK42VJreA2O2Hjn +PrWflf4vqI7L7sc1R54tYjNMiEtNdhxxz+iMMfz5JQWuYva3+kr3cMsKoumi7MjM +doLEGjewXevn4vr1lfSc0RIje7wnmRxSn6Us4b34udfZJdm/fnP+JwztZpxRboA0 +S7WbhKYacyJBQEciXTuJqP6Q8xVrZlgMx8jslqAJssDfot6wc9ZqCx297oOJU4EH +de+OcXWSNGmEhzJgJGhccwe3BB+LM+IU/INDStXf4H7ymSOfrrBzJ32Lsj993Nsq +/wbyX0tXxrDG//2+xJ+d3FdCb22vdI9gxQTgnqZcw8hZqeWQirl4h6dWMVo1gX66 +Br+B2tv5fBCvTRPHtApO8a+oEX0PVx4VyhyVNh2Zvqs/YeXej+t2Skm0Aie/wc7I +mwhNpzK7fI9RYslesK7pjiOV8tTysrt1YaMnfY4KPL3YAcklIRVoRGVVrUtJvG4o +H5AyIjpWsnN9w2v+e/h4r4ERwzUBBmenNrWw2iOZwiLkr9cB8cIg6GBwJQARAQAB +tChFbWRlYmlhbiBUb29sY2hhaW4gQXJjaGl2ZSAoc2lnbmluZyBrZXkpiQI4BBMB +AgAiBQJUc71qAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRB94IlnGAR3 +LhI7D/9Capaozbpe/TG7bquQzv4vgYU08ZJC5sCDwb76T2FrEJYNUENprECGCdrC +MbyEgctWBTUQAlwUpOjhX3pq7PGWpxeByWp3erVt/1Xl920/9fs6n6N/dy1l4NH1 +AoUmf3bKEMYEIN4NCElvgOM71q1W/J8wgvzdYcgMSOoML0ZXrlnJJZ2jToLN1VvN +tV8uFlbh05SLXeBAhhXDweWfLRPIqPkEAWbkXMrxjmzGnYT8tVLpxxuqL7Fap7PS +FEvdSFWdKSkSUH7yhp+Z+zgHwAkns9041Ad0ZjIc3UajC7B8/STkOxpJkX/ecIPB +dzmOeSc+byPhPVRiDuwljmlSLVNQFVzPQr8oU/+jRgKQLt7q8R2+GqasgEgpXe6D +SjI3n6EOixffN+lATt7UWN5UaX94NzK2fvjnIo7t4kINGFbrsrksk8DnUgBHLJ41 +UVVwiAbYXjUEycS/9lsq44SJq8MEdPNijGYvhW9XDaBWmnClkbd0o0ot9lo2pZ4N +eRhM/6Yv1/0GpogYsM5sqdPdaBgYzYhHKt+t5RZ6lXV2rKZxxomtzUWioMlgW+XO +IC7ynzeQYvEm6U73OPPmTZZTynvuDLCGXozDhEwhEisSNtSaXu9Ec8pvwToADrzM +ob0PyRkGq4opOIqN/3FTVrAzJvvB7GNBFFR1G+xY/jum1bEHAYkCHAQQAQgABgUC +VKdC9QAKCRD7hjJRqG+eR0HyD/9Q5kllJUBDagL9pLJpSnAB3z1IpU5j8p3NdBJo +Uffrk3DbPDReQJJCDGl7dr0AAp9p2qSvjzgislabbL52kfZsEom+3iK0N2yxz33A +jZ0iWndNnoJZqPqy6reozZLZ6qTFxUyffW+5Rh+eM5tVVth1S0uWTAcA5vgRB1MN +JBhuMAARR3cFbMPqIYWzxZLOGy9Vs+JY/iNdKlbDOPdCFxMVcwMdUpJkM401YM/m +8mmRyjkHD1WX+CKANe28yez8JFHIjMRGMbe1/fUEVqRiy0cZVkJ5XJyC+ETMeKp3 +7PRuF3ggB3zuFhG4iw8plP4yxrLb4IkDMlqW8LRtRAIki4Z3o2Lt/FnqipE91+IE +aLghMFcevfS0KMB+khMpwm53G+n9hmuaJSA+AZ0qw87hFWEFM6tNjjsy8W2FoCTs +ZlCyB2J0g2Nsp+EYL+NFcJJpb6SS6RHtIpBZBWR6x427krm2MbpQBep8C7Hypcor +6b6mz9QNB95lP0Wde0hYK4glHC95jIq0kaKpNFDvjU9HOObz7vaWqjwjSxtICFVW +fpV84F50A5izSS0Ma50b06edB2CO/phWQBedkYewLxfta5oMtWVjQxFLmHHsEvMy +U1BdLoccdwhhRkZjs+QyB5UIxDoLe/+omO0t6bifrYHhEfkxvBoYmKuJqRZFOueX +V2JyGQ== +=q84g +-----END PGP PUBLIC KEY BLOCK----- diff -Nru emdebian-archive-keyring-2.0.4/debian/changelog emdebian-archive-keyring-2.0.5/debian/changelog --- emdebian-archive-keyring-2.0.4/debian/changelog 2014-11-27 09:25:43.000000000 +0000 +++ emdebian-archive-keyring-2.0.5/debian/changelog 2015-07-15 18:01:09.000000000 +0100 @@ -1,3 +1,9 @@ +emdebian-archive-keyring (2.0.5) unstable; urgency=medium + + * Resurrect with new emdebian toolchain archive key (1804772E) + + -- Wookey <[email protected]> Wed, 15 Jul 2015 17:56:35 +0100 + emdebian-archive-keyring (2.0.4) unstable; urgency=medium * Revoke 0x97BB3B58 and disable the keyring. diff -Nru emdebian-archive-keyring-2.0.4/debian/control emdebian-archive-keyring-2.0.5/debian/control --- emdebian-archive-keyring-2.0.4/debian/control 2012-03-24 09:35:31.000000000 +0000 +++ emdebian-archive-keyring-2.0.5/debian/control 2015-07-16 14:44:04.000000000 +0100 @@ -16,8 +16,8 @@ Depends: ${misc:Depends}, apt, gnupg Description: GnuPG archive keys for the emdebian repository Emdebian digitally signs its Release files. This package - contains the archive key used by both Emdebian Crush and - Emdebian Grip. + contains the archive key used for Emdebian repositories + since 2015. . The key is also available via the Emdebian website and as a udeb for debian-installer support. diff -Nru emdebian-archive-keyring-2.0.4/debian/emdebian-archive-keyring.install emdebian-archive-keyring-2.0.5/debian/emdebian-archive-keyring.install --- emdebian-archive-keyring-2.0.4/debian/emdebian-archive-keyring.install 2011-03-27 07:14:09.000000000 +0100 +++ emdebian-archive-keyring-2.0.5/debian/emdebian-archive-keyring.install 2015-07-16 14:00:45.000000000 +0100 @@ -1,2 +1,2 @@ -0x97BB3B58.txt ./usr/share/emdebian-tools/ +1804772E.txt ./usr/share/emdebian-tools/ emdebian-archive-keyring.gpg ./usr/share/emdebian-tools/ diff -Nru emdebian-archive-keyring-2.0.4/debian/NEWS emdebian-archive-keyring-2.0.5/debian/NEWS --- emdebian-archive-keyring-2.0.4/debian/NEWS 2014-11-27 09:33:22.000000000 +0000 +++ emdebian-archive-keyring-2.0.5/debian/NEWS 2015-07-16 14:24:45.000000000 +0100 @@ -1,14 +1,12 @@ -emdebian-archive-keyring (2.0.4) unstable; urgency=medium +emdebian-archive-keyring (2.0.5) unstable; urgency=medium - The only key in this keyring has been revoked due to a - possible compromise on the server which was due for - replacement. - . - Emdebian Grip is no longer being updated and the toolchain - repository has not been updated since before the compromise - as work is ongoing for multiarch-compliant toolchains in - Debian. - . - There is no replacement key for this keyring. + This keyring contains a new (2015) key (4096R/1804772E) + for the emdebian archive. This is primarily for use with + the toolchain repositories, as Emdebian Grip is no longer + being updated. + + The previous key (1024D/97BB3B58) was revoked due to a + possible compromise on the old server. There is now a new + server. - -- Neil Williams <[email protected]> Thu, 27 Nov 2014 09:27:56 +0000 +Wookey, June 2015 \ No newline at end of file diff -Nru emdebian-archive-keyring-2.0.4/Makefile emdebian-archive-keyring-2.0.5/Makefile --- emdebian-archive-keyring-2.0.4/Makefile 2012-03-24 09:25:34.000000000 +0000 +++ emdebian-archive-keyring-2.0.5/Makefile 2015-07-15 17:52:23.000000000 +0100 @@ -1,7 +1,7 @@ all: gpg --no-permission-warning -q --homedir . --no-default-keyring \ - --keyring ./emdebian-archive-keyring.gpg --import 0x97BB3B58.txt + --keyring ./emdebian-archive-keyring.gpg --import 1804772E.txt $(RM) emdebian-archive-keyring.gpg~ secring.gpg trustdb.gpg install:
