On 11/24/2017 09:40 AM, Simon McVittie wrote: > Source: libidn2 > Version: 2.0.4-1.1 > Severity: normal > > libidn2 contains both debian/upstream-signing-key.pgp and > debian/upstream/signing-key.asc, which appears to have been a mistake. > debian/upstream/signing-key.asc also appears to have unintended content. > > debian/upstream-signing-key.pgp is 72K, which seems plausible for a public > key (although the filename debian/upstream/signing-key.asc is preferred, > and uscan(1) recommends using gpg --export --export-options export-minimal > --armor to include only the public key, user IDs and self-signatures, and > not signatures by other people, to reduce the size further). It has two user > IDs: > > % gpg --list-packets libidn2_2.0.4-1.1.debian/upstream-signing-key.pgp | grep > ':user ID packet:' > :user ID packet: "Simon Josefsson <[email protected]>" > :user ID packet: "Simon Josefsson <[email protected]>" > > and it seems entirely plausible that Simon Josefsson is the only valid > upstream release manager for libidn2.
Simon and me (Tim Rühsen <[email protected]>) - I signed the last few upstream releases with key 0x08302DB6A2670428. Regards, Tim
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help-libidn mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-libidn
