Package: gpa Version: 0.9.5-2 Severity: grave Tags: security Justification: user security hole
In the Server menu, Send keys. A dialogue box is displaying which asks "Are you sure you want to distribute this key?" If I click on the cross (x) to close this box, so it is the same as to click on Yes, the key is even though sent to the server. It is not the choice of the user. It is not conform with standards of the GUIs in Debian or in other OS. It is a security issue by leak of data after an unwitting action of the user. It should sent the key to the server only when the user click on Yes. Else if the user click on the cross or on No, nothing should be sent to the server -- System Information: Debian Release: 8.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-0.bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gpa depends on: ii gnupg2 2.0.26-6 ii gpgsm 2.0.26-6 ii libassuan0 2.1.2-2 ii libatk1.0-0 2.14.0-1 ii libc6 2.19-18+deb8u4 ii libcairo2 1.14.0-2.1+deb8u1 ii libfontconfig1 2.11.0-6.3 ii libfreetype6 2.5.2-3+deb8u1 ii libgdk-pixbuf2.0-0 2.31.1-2+deb8u4 ii libglib2.0-0 2.42.1-1+b1 ii libgpg-error0 1.17-3 ii libgpgme11 1.5.1-6 ii libgtk2.0-0 2.24.25-3+deb8u1 ii libpango-1.0-0 1.36.8-3 ii libpangocairo-1.0-0 1.36.8-3 ii libpangoft2-1.0-0 1.36.8-3 ii zlib1g 1:1.2.8.dfsg-2+b1 gpa recommends no packages. gpa suggests no packages. -- no debconf information