Your package appears to contain commands which use a short gpg-key
ID. These have recently been identified as potential security concerns,
due to a chance that the wrong key can be imported in the case of a
forced key-ID collision .
The affected file is:
It appears that this is an example, and may not be executed as part of the
debian package. This may require forwarding upstream.
Please consider upgrading to a full key ID, for example, replace the command:
gpg --keyserver <keyserver> --recv-keys <key_short_fingerprint>
gpg --keyserver <keyserver> --recv-keys <key_full_id>
eg (not specific to your package):
gpg --keyserver keyring.debian.org --recv-keys 05C3E651
gpg --keyserver keyring.debian.org --recv-keys
(Note the tail bytes are the same)
This has previously been forwarded to the security team, who advised to
report individual public bugs against each package - hence this bug.
Pkg-go-maintainers mailing list