Control: forwarded -1 https://github.com/arq5x/poretools/pull/94
Le Sat, Sep 03, 2016 at 11:54:50PM -0700, Afif Elghraoui a écrit : > > على السبت 3 أيلول 2016 15:34، كتب D Haley: > > > > Your package appears to contain commands which use a short gpg-key > > ID. These have recently been identified as potential security concerns, > > due to a chance that the wrong key can be imported in the case of a > > forced key-ID collision [1]. > > > > The affected file is: > > Dockerfile [2] > > > > Its not clear to me that the affected file is actually used in the build > > script, but it may be referenced somewhere in the package > > Yes, this file is not used at all during the build process or > distributed in the binary package. I believe it's just used by upstream. > I can repack the tarball and exclude this file if that will alleviate > concerns. Hi Afif, I beleive that s/E084DAB9/E298A3A825C0D65DFD57CBB651716619E084DAB9/ would solve the problem. By the way, this is the key of CRAN's "Ubuntu packages for R" Repository (https://cran.r-project.org/bin/linux/ubuntu/README.html), and I contacted the authors to suggest them to use a longer ID as well. I also sent a pull request to the Poretools author. Have a nice day, -- Charles