[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug#882581: libidn2: debian/upstream/signing-key.asc is 15M and contains

From: Simon McVittie
Subject: Bug#882581: libidn2: debian/upstream/signing-key.asc is 15M and contains unrelated public keys
Date: Fri, 24 Nov 2017 08:40:03 +0000
User-agent: Mutt/1.9.1 (2017-09-22)

Source: libidn2
Version: 2.0.4-1.1
Severity: normal

libidn2 contains both debian/upstream-signing-key.pgp and
debian/upstream/signing-key.asc, which appears to have been a mistake.
debian/upstream/signing-key.asc also appears to have unintended content.

debian/upstream-signing-key.pgp is 72K, which seems plausible for a public
key (although the filename debian/upstream/signing-key.asc is preferred,
and uscan(1) recommends using gpg --export --export-options export-minimal
--armor to include only the public key, user IDs and self-signatures, and
not signatures by other people, to reduce the size further). It has two user

% gpg --list-packets libidn2_2.0.4-1.1.debian/upstream-signing-key.pgp | grep 
':user ID packet:'
:user ID packet: "Simon Josefsson <address@hidden>"
:user ID packet: "Simon Josefsson <address@hidden>"

and it seems entirely plausible that Simon Josefsson is the only valid
upstream release manager for libidn2.

debian/upstream/signing-key.asc is 15M, and contains many, many keys,
most of which should certainly not be signing libidn2 upstream releases:

% gpg --list-packets libidn2_2.0.4-1.1.debian/upstream/signing-key.asc | grep 
':user ID packet:'
:user ID packet: "Mark Shuttleworth <address@hidden>"
:user ID packet: "Lenny GR vote key (Ephemeral Key) <address@hidden>"
:user ID packet: "Launchpad PPA for Scribblers"

Please remove debian/upstream-signing-key.pgp, and replace
debian/upstream/signing-key.asc with a smaller file containing the
minimized public keys of the upstream developers whose signatures should be
considered normal for this package. uscan(1) describes how to do this in
§(KEYRING FILE EXAMPLES). gpg --list-packets can be used to check that
the result has the content you expect.

I noticed this while uploading an NMU for #881915 and #881968 and wondering
why I was uploading a larger-than-expected .debian.tar.xz file.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]