Control: forwarded -1 https://salsa.debian.org/debian/libidn2/merge_requests/1 Control: tags -1 patch
On Fri, Nov 24, 2017 at 10:08:41AM +0100, Tim Rühsen wrote: > On 11/24/2017 09:40 AM, Simon McVittie wrote: > > Source: libidn2 > > Version: 2.0.4-1.1 > > Severity: normal > > > > libidn2 contains both debian/upstream-signing-key.pgp and > > debian/upstream/signing-key.asc, which appears to have been a mistake. > > debian/upstream/signing-key.asc also appears to have unintended content. > > > > debian/upstream-signing-key.pgp is 72K, which seems plausible for a public > > key (although the filename debian/upstream/signing-key.asc is preferred, > > and uscan(1) recommends using gpg --export --export-options export-minimal > > --armor to include only the public key, user IDs and self-signatures, and > > not signatures by other people, to reduce the size further). It has two user > > IDs: > > > > % gpg --list-packets libidn2_2.0.4-1.1.debian/upstream-signing-key.pgp | > > grep ':user ID packet:' > > :user ID packet: "Simon Josefsson <si...@yubico.com>" > > :user ID packet: "Simon Josefsson <si...@josefsson.org>" > > > > and it seems entirely plausible that Simon Josefsson is the only valid > > upstream release manager for libidn2. > > Simon and me (Tim Rühsen <tim.rueh...@gmx.de>) - I signed the last few > upstream releases with key 0x08302DB6A2670428. I have made the proposed changes in a seperate branch and added a merge request on Salsa. Bernhard