Bug#882581: marked as done (libidn2: debian/upstream/signing-key.asc is

help-libidn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug#882581: marked as done (libidn2: debian/upstream/signing-key.asc is

From:	Debian Bug Tracking System
Subject:	Bug#882581: marked as done (libidn2: debian/upstream/signing-key.asc is 15M and contains unrelated public keys)
Date:	Sun, 21 Jul 2019 08:42:04 +0000

Your message dated Sun, 21 Jul 2019 08:39:55 +0000
with message-id <address@hidden>
and subject line Bug#882581: fixed in libidn2 2.2.0-1
has caused the Debian Bug report #882581,
regarding libidn2: debian/upstream/signing-key.asc is 15M and contains 
unrelated public keys
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact address@hidden
immediately.)


-- 
882581: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882581
Debian Bug Tracking System
Contact address@hidden with problems

--- Begin Message --- Subject: libidn2: debian/upstream/signing-key.asc is 15M and contains unrelated public keys Date: Fri, 24 Nov 2017 08:40:03 +0000 User-agent: Mutt/1.9.1 (2017-09-22)

Source: libidn2
Version: 2.0.4-1.1
Severity: normal

libidn2 contains both debian/upstream-signing-key.pgp and
debian/upstream/signing-key.asc, which appears to have been a mistake.
debian/upstream/signing-key.asc also appears to have unintended content.

debian/upstream-signing-key.pgp is 72K, which seems plausible for a public
key (although the filename debian/upstream/signing-key.asc is preferred,
and uscan(1) recommends using gpg --export --export-options export-minimal
--armor to include only the public key, user IDs and self-signatures, and
not signatures by other people, to reduce the size further). It has two user
IDs:

% gpg --list-packets libidn2_2.0.4-1.1.debian/upstream-signing-key.pgp | grep 
':user ID packet:'
:user ID packet: "Simon Josefsson <address@hidden>"
:user ID packet: "Simon Josefsson <address@hidden>"

and it seems entirely plausible that Simon Josefsson is the only valid
upstream release manager for libidn2.

debian/upstream/signing-key.asc is 15M, and contains many, many keys,
most of which should certainly not be signing libidn2 upstream releases:

% gpg --list-packets libidn2_2.0.4-1.1.debian/upstream/signing-key.asc | grep 
':user ID packet:'
...
:user ID packet: "Mark Shuttleworth <address@hidden>"
...
:user ID packet: "Lenny GR vote key (Ephemeral Key) <address@hidden>"
...
:user ID packet: "Launchpad PPA for OpenOffice.org Scribblers"
...

Please remove debian/upstream-signing-key.pgp, and replace
debian/upstream/signing-key.asc with a smaller file containing the
minimized public keys of the upstream developers whose signatures should be
considered normal for this package. uscan(1) describes how to do this in
§(KEYRING FILE EXAMPLES). gpg --list-packets can be used to check that
the result has the content you expect.

I noticed this while uploading an NMU for #881915 and #881968 and wondering
why I was uploading a larger-than-expected .debian.tar.xz file.

Thanks,
    smcv

--- End Message ---

--- Begin Message --- Subject: Bug#882581: fixed in libidn2 2.2.0-1 Date: Sun, 21 Jul 2019 08:39:55 +0000

Source: libidn2
Source-Version: 2.2.0-1

We believe that the bug you reported is fixed in the latest version of
libidn2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to address@hidden,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Josefsson <address@hidden> (supplier of updated libidn2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing address@hidden)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 20 Jul 2019 22:35:12 +0200
Source: libidn2
Architecture: source
Version: 2.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Libidn team <address@hidden>
Changed-By: Simon Josefsson <address@hidden>
Closes: 882581 929879
Changes:
 libidn2 (2.2.0-1) unstable; urgency=medium
 .
   [ Simon Josefsson ]
   * New upstream version 2.2.0.
   * Update libidn2-0.symbols.
   * Standards-Version 4.4.0.
   * Compat 12.
     - Drop dh --fail-missing (now default).
     - Drop --parallel and --with autoreconf.
     - Drop Build-Depends on dh-autoreconf.
   * Add Build-Depends-Package to symbols file.
   * Drop help2man b-d.  Closes: #929879.
   * Ignore idn2.1 diff.
   * Make libidn2-doc Multi-Arch: foreign.
 .
   [ Ondřej Nový ]
   * d/copyright: Use https protocol in Format field
 .
   [ Bernhard Schmidt ]
   * Update and cleanup upstream signing keys.  Closes: #882581.
Checksums-Sha1:
 d9566247f126c904b76112a3bc85107b2515e4ec 2208 libidn2_2.2.0-1.dsc
 384e54e90f5d6ae54fb1e326bcb446045b4d3891 2110743 libidn2_2.2.0.orig.tar.gz
 eaf56b735b948346578ef4e6a6c2fb02b2fe9b8d 566 libidn2_2.2.0.orig.tar.gz.asc
 0081b3e3d9f755b77f162f97d679ab3458800c9a 10428 libidn2_2.2.0-1.debian.tar.xz
 cc8b6ddc5b703bf7519755fd6a89836c7227ba82 13018 libidn2_2.2.0-1_amd64.buildinfo
Checksums-Sha256:
 7d8532239f4ab0c0e246a20cb8997a3a8303843e32ae168e7f5f1e841bfc10fb 2208 
libidn2_2.2.0-1.dsc
 fc734732b506d878753ec6606982bf7b936e868c25c30ddb0d83f7d7056381fe 2110743 
libidn2_2.2.0.orig.tar.gz
 aa0a50999b8e6d9649476a61aa2041544c473f1eb059bf1bf197c502e98dfc2f 566 
libidn2_2.2.0.orig.tar.gz.asc
 6369fb8e9b874124a7d0f6c07dc30d086ddb6f1f91a98c33a832497d6281299d 10428 
libidn2_2.2.0-1.debian.tar.xz
 7ac6b7127a737c2ca01630af342ae041988ed7c2683ecc1a2a5b4683175c617f 13018 
libidn2_2.2.0-1_amd64.buildinfo
Files:
 d407913697265725811c694e402ca0fa 2208 libs optional libidn2_2.2.0-1.dsc
 b846d4d20e22b99d6f7387bb66e00a1f 2110743 libs optional 
libidn2_2.2.0.orig.tar.gz
 1e124cf75bc03dc1c43f6731027ea9c1 566 libs optional 
libidn2_2.2.0.orig.tar.gz.asc
 d452a54faccc7383f611f78fc8219514 10428 libs optional 
libidn2_2.2.0-1.debian.tar.xz
 73bafc9470c25dff25f9a286dc83b787 13018 libs optional 
libidn2_2.2.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFIBAEBCgAyFiEEmUFc4ZBdDlWp+IAmhgt/uzL4EZ0FAl00HQwUHHNpbW9uQGpv
c2Vmc3Nvbi5vcmcACgkQhgt/uzL4EZ0tGQf5AQJBLtredykav6GJDvWnLmcltYvz
hgLQRp1930oVNxXyvuXhILIGiPaq52Daf2mAMEsNnqR3b+VRvQ4I0zjGGiAYmHQ8
r8mpnQP3gPXZsuGxDooq4kW2t0UK6hCIDa1/GeRWyON52pTR4jM53cp/WiMx3fQs
tZlhSieRIS8k6bWSecC0tMK8pdCOzkOUQef/v7xBwcbCXn8z0RpHUT/7KxOzJUzw
v8NDw6UT74tJ7BfB8tqNE1Ay0oMNfztc/4r6h++uOACEnu4Buo9aD6oh8TPyqLmx
CudAHzrVKm1hyRL6rNvL7wrI0o7sKP+cA5e+F4jp7CvQIFfQKAiH+xS9Ww==
=Ay1A
-----END PGP SIGNATURE-----

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

Bug#882581: marked as done (libidn2: debian/upstream/signing-key.asc is 15M and contains unrelated public keys), Debian Bug Tracking System <=

Prev by Date: libidn2_2.2.0-1_source.changes ACCEPTED into unstable
Next by Date: Bug#929879: marked as done (libidn2: Unused build-dependency on help2man)
Previous by thread: libidn2_2.2.0-1_source.changes ACCEPTED into unstable
Next by thread: Bug#929879: marked as done (libidn2: Unused build-dependency on help2man)
Index(es):
- Date
- Thread