On Thu, 25 Oct 2007, Sami Liedes wrote:
However, it still fails to do what you describe: The .dsc can be
signed by *anyone* whose key I happen to have in my keyring, not only
by the person in the Maintainer: field, without giving any clue to
whose signature the .dsc has. I can't think what
On Thu, 25 Oct 2007, Sami Liedes wrote:
Sorry, signature is about making sure you can identify who is the author of
the source package. It's written nowhere than only DD should be able to sign
source packages.
No, but it fails to do that either. It doesn't verify that it's signed
by the
Processing commands for [EMAIL PROTECTED]:
package dpkg-dev
Ignoring bugs not assigned to: dpkg-dev
severity 440841 wishlist
Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid
keys to debian-keyring
Severity set to `wishlist' from `normal'
retitle 440841 dpkg
package dpkg-dev
severity 440841 wishlist
retitle 440841 dpkg accepts .dscs signed by anyone in the user's personal
keyring, not only the person in the Maintainer: field
tags 440841 - security
thanks
On Thu, Oct 25, 2007 at 08:38:08PM +0200, Raphael Hertzog wrote:
That's not the feature you
On Wed, Sep 05, 2007 at 02:48:39PM +0300, Sami Liedes wrote:
On Wed, Sep 05, 2007 at 01:31:06AM +0200, Cyril Brulebois wrote:
What about the following? An Application Manager asks his/hers New
Maintainer applicant to sign the source packages, or more generally one
provides source packages
On Wed, Sep 05, 2007 at 01:31:06AM +0200, Cyril Brulebois wrote:
What about the following? An Application Manager asks his/hers New
Maintainer applicant to sign the source packages, or more generally one
provides source packages on ones website, and publish the key with which
they were
Package: dpkg-dev
Version: 1.14.5
Severity: grave
Tags: security
Justification: root security hole
From /usr/bin/dpkg-source:
if (-x '/usr/bin/gpg') {
my $gpg_command = 'gpg -q --verify ';
if (-r
severity 440841 normal
thanks
Sami Liedes [EMAIL PROTECTED] (04/09/2007):
Justification: root security hole
?!
This is bad: It silently accepts any package signed by any key in the
running user's keyring.
What about the following? An Application Manager asks his/hers New
Maintainer
Processing commands for [EMAIL PROTECTED]:
severity 440841 normal
Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid
keys to debian-keyring
Severity set to `normal' from `grave'
thanks
Stopping processing here.
Please contact me if you need assistance.
Debian bug
9 matches
Mail list logo