On Sat, 2 Feb 2013 23:51:42 -0500 Michael Gilbert wrote:
> package: debian-keyring
> version: 2012.11.15
> severity: important
>
> Signature verification currently fails on source packages that were
> signed by keys that are no longer present in the active keyrings.
> This can easily lead to the
Date: Sun, 2 Jun 2013 13:47:04 -0400 >From: Michael Gilbert >-
>Body: On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote: >>
package: debian-keyring >> version: 2012.11.15 >> severity: important >> >>
Signature verification currently fails on source packages that were >>
Date: Sat, 2 Feb 2013 23:51:42 -0500 >From: Michael Gilbert >-
>Body: ur-type{attachments
On Sat, Jun 1, 2013 at 6:48 PM, Jonathan McDowell wrote:
tags 699661 wontfix
thanks
On Sat, Feb 16, 2013 at 03:11:09PM -0500, Michael Gilbert wrote:
Note that signature date is part of the information
contained in the gpg signature block.
Rethinking this, I suppose that could be faked
tags 699661 wontfix
thanks
On Sat, Feb 16, 2013 at 03:11:09PM -0500, Michael Gilbert wrote:
Note that signature date is part of the information
contained in the gpg signature block.
Rethinking this, I suppose that could be faked with a compromised key.
So, really the trust path would
On Wed, Feb 13, 2013 at 8:18 PM, Jonathan McDowell wrote:
On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote:
package: debian-keyring
version: 2012.11.15
severity: important
Signature verification currently fails on source packages that were
signed by keys that are no longer
Note that signature date is part of the information
contained in the gpg signature block.
Rethinking this, I suppose that could be faked with a compromised key.
So, really the trust path would also require checking that that
package originated from debian, i.e. that the dsc matches the
On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote:
package: debian-keyring
version: 2012.11.15
severity: important
Signature verification currently fails on source packages that were
signed by keys that are no longer present in the active keyrings.
This can easily lead to the
package: debian-keyring
version: 2012.11.15
severity: important
Signature verification currently fails on source packages that were
signed by keys that are no longer present in the active keyrings.
This can easily lead to the incorrect conclusion that those packages
are not to be trusted or
9 matches
Mail list logo