[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug#882581: libidn2: debian/upstream/signing-key.asc is 15M and contains

From: Tim Rühsen
Subject: Bug#882581: libidn2: debian/upstream/signing-key.asc is 15M and contains unrelated public keys
Date: Fri, 24 Nov 2017 10:08:41 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0

On 11/24/2017 09:40 AM, Simon McVittie wrote:
> Source: libidn2
> Version: 2.0.4-1.1
> Severity: normal
> libidn2 contains both debian/upstream-signing-key.pgp and
> debian/upstream/signing-key.asc, which appears to have been a mistake.
> debian/upstream/signing-key.asc also appears to have unintended content.
> debian/upstream-signing-key.pgp is 72K, which seems plausible for a public
> key (although the filename debian/upstream/signing-key.asc is preferred,
> and uscan(1) recommends using gpg --export --export-options export-minimal
> --armor to include only the public key, user IDs and self-signatures, and
> not signatures by other people, to reduce the size further). It has two user
> IDs:
> % gpg --list-packets libidn2_2.0.4-1.1.debian/upstream-signing-key.pgp | grep 
> ':user ID packet:'
> :user ID packet: "Simon Josefsson <address@hidden>"
> :user ID packet: "Simon Josefsson <address@hidden>"
> and it seems entirely plausible that Simon Josefsson is the only valid
> upstream release manager for libidn2.

Simon and me (Tim Rühsen <address@hidden>) - I signed the last few
upstream releases with key 0x08302DB6A2670428.

Regards, Tim

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]