Joey Hess <[EMAIL PROTECTED]> writes:
> Package: debmirror
> Version: 20060907.1
> Severity: normal
>
> debmirror uses a different method to validate the signatures on Release
> files than do apt, network-retreiver, etc. debmirror's method fails if
> the Release file is signed by any one unknown key, even if it has other
> valid sigs from known keys, as happened recently. The correct method
> does not have this problem, and works as follows:
>
> gpgv --no-tty --status-fd 1 Release.gpg Release | read_gpg_status
>
> Where a shell version of read_gpg_status is this:
>
> read_gpg_status() {
> while read prefix keyword rest; do
> [ "$prefix" = '[GNUPG:]' ] || continue
> if [ "$keyword" = VALIDSIG ]; then
> exit 0
> fi
> done
> exit 1
> }
>
> Any single valid signature is enough.
You mentioned this on irc but thanks for filing a reminder bug so I
won't forget.
This should make into the "Lenny is watching you" release that is
pending.
MfG
Goswin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
