Your message dated Mon, 10 Oct 2016 13:21:08 +0200
with message-id <[email protected]>
and subject line Not used in tests
has caused the Debian Bug report #836562,
regarding python-tosca-parser: gpg key too short in test script
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
836562: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836562
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-tosca-parser
Version: 0.1.0-3
Severity: important
Dear Maintainer,
Your package appears to contain commands which use a short gpg-key
ID. These have recently been identified as potential security concerns,
due to a chance that the wrong key can be imported in the case of a
forced key-ID collision [1].
The affected file is:
tests/artifacts/mongodb/create.sh [2]
This appears to be an environment setup file for installing mongodb,
and may not be executed directly as part of the debian package. As such,
this may require forwarding upstream.
Please consider upgrading to a full key ID, for example, replace the command:
gpg --keyserver <keyserver> --recv-keys <key_short_fingerprint>
with
gpg --keyserver <keyserver> --recv-keys <key_full_id>
eg (not specific to your package):
gpg --keyserver keyring.debian.org --recv-keys 05C3E651
becomes:
gpg --keyserver keyring.debian.org --recv-keys
0x0D59D2B15144766A14D241C66BAF400B05C3E651
(Note the tail bytes are the same)
This has previously been forwarded to the security team, who advised to
report individual public bugs against each package - hence this bug.
[1] http://lwn.net/Articles/697417
[2]
https://anonscm.debian.org/cgit/openstack/python-tosca-parser.git/tree/toscaparser/tests/artifacts/mongodb/create.sh?id=9079027c658de670e735d7a60c0c548663f0670d
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I don't think this script is even used during the build or runtime,
therefore, the Debian package shouldn't be affected. If it was the
case, then the package would be doing some non policy compliant
things, like accessing networking during build, or even doing some
actions which require root access.
Cheers,
Thomas Goirand (zigo)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJX+3mjAAoJENQWrRWsa0P+0nMQAJ1IkJ48i68qMUDpsW9Hw8G5
AxTS2jayld72p1kM8vWbKD//0mj4FBU87HxIGbyGKlySXmHbgIVihGQmBJRUcYQ5
omae9CdDRQbE4fOuIp/N0C3e6DSt2rDDp3XmX2I5vtH5yKPlcgfbKqgofQwrGLEZ
DEhODtG0iz/FyHKGEUvyBpy3rYN5D8Kh6ZPT7XEmo/oQxxpHdMTPARWz8aPSrB0M
u8vlbuV/12vT4GsjHyV2/9BOTkfAq+APADo7vOSXq3I6PsCh30lVAetwUfv/qAmq
56AtCo/11TchPn3JCdOU/Raq4CBofmSHBeQ2JIB01rQ1RzeNwR5SS0a5kZPwTt3y
ygV1JR2e8sz5WYF5KGqsG1088zMgLM2ME6zaRvzO4Lx2o7Cb41+apnWzI42m9XaG
lUpew3yN3QI+qLA+2TmMiMxiiypAPMgBdmPYK3FRln14+GWAWBmwmDkEPTWcE9sO
jDCMK/ymSy99El0nE6moRTZ6qFNgjuVRwpb8ZssMXnByUx7al4q/kRwpPxqgyM1g
ZnZEpLsknYvzjVQUwYJWtNNxM+dIbAu5RGfLlY8RY21kVPPHqmdiAlRXN48AliwY
/hkP8bEuPmD9IjWFVhL4JWPw2MX3MyhLKY7SluVJT5zUXG1YefhomT/v81MhQ9in
gEC3KIhfPdo+Ll48V8HZ
=gd1r
-----END PGP SIGNATURE-----
--- End Message ---
