Package: acbuild
Version: 0.4.0+dfsg-1
Severity: important

Dear Maintainer,

Your package appears to contain commands which use a short gpg-key
ID. These have recently been identified as potential security concerns,
due to a chance that the wrong key can be imported in the case of a
forced key-ID collision [1].

The affected file is:
 /acbuild-0.4.0/examples/mongodb/ [2]

It appears that this is an example, and may not be executed as part of the 
debian package. This may require forwarding upstream.

Please consider upgrading to a full key ID, for example, replace the command:

 gpg --keyserver <keyserver> --recv-keys <key_short_fingerprint> 


 gpg --keyserver  <keyserver> --recv-keys <key_full_id>

eg (not specific to your package):

 gpg --keyserver --recv-keys 05C3E651


 gpg --keyserver --recv-keys 

(Note the tail bytes are the same)

This has previously been forwarded to the security team, who advised to
report individual public bugs against each package - hence this bug.


Pkg-go-maintainers mailing list

Reply via email to