Bug#699661: debian-keyring: please ship a removed-keys keyring

2023-11-28 Thread Dimitri John Ledkov
On Sat, 2 Feb 2013 23:51:42 -0500 Michael Gilbert wrote: > package: debian-keyring > version: 2012.11.15 > severity: important > > Signature verification currently fails on source packages that were > signed by keys that are no longer present in the active keyrings. > This can easily lead to the

Bug#699661: debian-keyring: please ship a removed-keys keyring

2021-07-29 Thread Sherry Williams
Date: Sun, 2 Jun 2013 13:47:04 -0400 >From: Michael Gilbert >- >Body: On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote: >> package: debian-keyring >> version: 2012.11.15 >> severity: important >> >> Signature verification currently fails on source packages that were >>

Bug#699661: debian-keyring: please ship a removed-keys keyring

2021-07-29 Thread Sherry Williams
Date: Sat, 2 Feb 2013 23:51:42 -0500 >From: Michael Gilbert >- >Body: ur-type{attachments

Bug#699661: debian-keyring: please ship a removed-keys keyring

2013-06-02 Thread Michael Gilbert
On Sat, Jun 1, 2013 at 6:48 PM, Jonathan McDowell wrote: tags 699661 wontfix thanks On Sat, Feb 16, 2013 at 03:11:09PM -0500, Michael Gilbert wrote: Note that signature date is part of the information contained in the gpg signature block. Rethinking this, I suppose that could be faked

Bug#699661: debian-keyring: please ship a removed-keys keyring

2013-06-01 Thread Jonathan McDowell
tags 699661 wontfix thanks On Sat, Feb 16, 2013 at 03:11:09PM -0500, Michael Gilbert wrote: Note that signature date is part of the information contained in the gpg signature block. Rethinking this, I suppose that could be faked with a compromised key. So, really the trust path would

Bug#699661: debian-keyring: please ship a removed-keys keyring

2013-02-16 Thread Michael Gilbert
On Wed, Feb 13, 2013 at 8:18 PM, Jonathan McDowell wrote: On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote: package: debian-keyring version: 2012.11.15 severity: important Signature verification currently fails on source packages that were signed by keys that are no longer

Bug#699661: debian-keyring: please ship a removed-keys keyring

2013-02-16 Thread Michael Gilbert
Note that signature date is part of the information contained in the gpg signature block. Rethinking this, I suppose that could be faked with a compromised key. So, really the trust path would also require checking that that package originated from debian, i.e. that the dsc matches the

Bug#699661: debian-keyring: please ship a removed-keys keyring

2013-02-13 Thread Jonathan McDowell
On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote: package: debian-keyring version: 2012.11.15 severity: important Signature verification currently fails on source packages that were signed by keys that are no longer present in the active keyrings. This can easily lead to the

Bug#699661: debian-keyring: please ship a removed-keys keyring

2013-02-02 Thread Michael Gilbert
package: debian-keyring version: 2012.11.15 severity: important Signature verification currently fails on source packages that were signed by keys that are no longer present in the active keyrings. This can easily lead to the incorrect conclusion that those packages are not to be trusted or