Package: gitlab Version: 8.10.5+dfsg-2 Severity: important Dear Maintainer,
Your package appears to contain commands which use a short gpg-key ID. These have recently been identified as potential security concerns, due to a chance that the wrong key can be imported in the case of a forced key-ID collision [1]. The affected file is: Scala.gitlab-ci.yml [2] Please consider upgrading to a full key ID, for example, replace the command: gpg --keyserver <keyserver> --recv-keys <key_short_fingerprint> with gpg --keyserver <keyserver> --recv-keys <key_full_id> eg (not specific to your package): gpg --keyserver keyring.debian.org --recv-keys 05C3E651 becomes: gpg --keyserver keyring.debian.org --recv-keys 0x0D59D2B15144766A14D241C66BAF400B05C3E651 (Note the tail bytes are the same) This has previously been forwarded to the security team, who advised to report individual public bugs against each package - hence this bug. [1] http://lwn.net/Articles/697417 [2] https://anonscm.debian.org/cgit/pkg-ruby-extras/gitlab.git/tree/vendor/gitlab-ci-yml/Scala.gitlab-ci.yml _______________________________________________ Pkg-ruby-extras-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
