Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid keys to debian-keyring

On Thu, 25 Oct 2007, Sami Liedes wrote: However, it still fails to do what you describe: The .dsc can be signed by *anyone* whose key I happen to have in my keyring, not only by the person in the Maintainer: field, without giving any clue to whose signature the .dsc has. I can't think what

Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid keys to debian-keyring

On Thu, 25 Oct 2007, Sami Liedes wrote: Sorry, signature is about making sure you can identify who is the author of the source package. It's written nowhere than only DD should be able to sign source packages. No, but it fails to do that either. It doesn't verify that it's signed by the

Processed: Re: Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid keys to debian-keyring

Processing commands for [EMAIL PROTECTED]: package dpkg-dev Ignoring bugs not assigned to: dpkg-dev severity 440841 wishlist Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid keys to debian-keyring Severity set to `wishlist' from `normal' retitle 440841 dpkg

Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid keys to debian-keyring

package dpkg-dev severity 440841 wishlist retitle 440841 dpkg accepts .dscs signed by anyone in the user's personal keyring, not only the person in the Maintainer: field tags 440841 - security thanks On Thu, Oct 25, 2007 at 08:38:08PM +0200, Raphael Hertzog wrote: That's not the feature you

Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid keys to debian-keyring

On Wed, Sep 05, 2007 at 02:48:39PM +0300, Sami Liedes wrote: On Wed, Sep 05, 2007 at 01:31:06AM +0200, Cyril Brulebois wrote: What about the following? An Application Manager asks his/hers New Maintainer applicant to sign the source packages, or more generally one provides source packages

Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid keys to debian-keyring

On Wed, Sep 05, 2007 at 01:31:06AM +0200, Cyril Brulebois wrote: What about the following? An Application Manager asks his/hers New Maintainer applicant to sign the source packages, or more generally one provides source packages on ones website, and publish the key with which they were

Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid keys to debian-keyring

Package: dpkg-dev Version: 1.14.5 Severity: grave Tags: security Justification: root security hole From /usr/bin/dpkg-source: if (-x '/usr/bin/gpg') { my $gpg_command = 'gpg -q --verify '; if (-r

Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid keys to debian-keyring

severity 440841 normal thanks Sami Liedes [EMAIL PROTECTED] (04/09/2007): Justification: root security hole ?! This is bad: It silently accepts any package signed by any key in the running user's keyring. What about the following? An Application Manager asks his/hers New Maintainer

Processed: Re: Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid keys to debian-keyring

Processing commands for [EMAIL PROTECTED]: severity 440841 normal Bug#440841: dpkg-dev: source package gpg verification doesn't restrict valid keys to debian-keyring Severity set to `normal' from `grave' thanks Stopping processing here. Please contact me if you need assistance. Debian bug