Your message dated Sat, 3 Sep 2016 15:54:09 -0700
with message-id
<caczd_tbmr4stnghchw8pohmbarsz1vgpt8machjupgmv-jy...@mail.gmail.com>
and subject line Re: [Python-modules-team] Bug#836555: kivy: docs describe
short gpg key usage
has caused the Debian Bug report #836555,
regarding kivy: docs describe short gpg key usage
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
836555: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836555
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: kivy
Version: 1.9.1-1
Severity: normal
Dear Maintainer,
Your package appears to contain commands which use a short gpg-key
ID. These have recently been identified as potential security concerns,
due to a chance that the wrong key can be imported in the case of a
forced key-ID collision [1].
The affected file is:
/doc/sources/installation/installation-linux.rst [2]
It is not clear to me that this is actually executed anywhere by the
package, but may be an upstream issue. If this is the case, perhaps this
should be forwarded on.
Otherwise, please consider upgrading to a full key ID, for example, replace the
command:
gpg --keyserver <keyserver> --recv-keys <key_short_fingerprint>
with
gpg --keyserver <keyserver> --recv-keys <key_full_id>
eg (not specific to your package):
gpg --keyserver keyring.debian.org --recv-keys 05C3E651
becomes:
gpg --keyserver keyring.debian.org --recv-keys
0x0D59D2B15144766A14D241C66BAF400B05C3E651
(Note the tail bytes are the same)
This has previously been forwarded to the security team, who advised to
report individual public bugs against each package - hence this bug.
[1] http://lwn.net/Articles/697417
[2]
https://anonscm.debian.org/cgit/python-modules/packages/kivy.git/tree/doc/sources/installation/installation-linux.rst
--- End Message ---
--- Begin Message ---
On Sat, Sep 3, 2016 at 3:40 PM, D Haley <[email protected]> wrote:
> Source: kivy
> Version: 1.9.1-1
> Severity: normal
>
> Dear Maintainer,
>
> Your package appears to contain commands which use a short gpg-key
> ID. These have recently been identified as potential security concerns,
> due to a chance that the wrong key can be imported in the case of a
> forced key-ID collision [1].
>
> The affected file is:
> /doc/sources/installation/installation-linux.rst [2]
This file is not installed in any of the binary packages built by
src:kivy. In addition, it only lists out installation steps for end
users (and is merely documentation, not executable code), which is
irrelevant for users who install packages directly from Debian. Hence,
closing this bug report.
Regards,
Vincent
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
