Bug#882581: libidn2: debian/upstream/signing-key.asc is 15M and contains unrelated public keys

Fri, 24 Nov 2017 00:46:06 -0800 

Source: libidn2
Version: 2.0.4-1.1
Severity: normal

libidn2 contains both debian/upstream-signing-key.pgp and
debian/upstream/signing-key.asc, which appears to have been a mistake.
debian/upstream/signing-key.asc also appears to have unintended content.

debian/upstream-signing-key.pgp is 72K, which seems plausible for a public
key (although the filename debian/upstream/signing-key.asc is preferred,
and uscan(1) recommends using gpg --export --export-options export-minimal
--armor to include only the public key, user IDs and self-signatures, and
not signatures by other people, to reduce the size further). It has two user
IDs:

% gpg --list-packets libidn2_2.0.4-1.1.debian/upstream-signing-key.pgp | grep 
':user ID packet:'
:user ID packet: "Simon Josefsson <si...@yubico.com>"
:user ID packet: "Simon Josefsson <si...@josefsson.org>"

and it seems entirely plausible that Simon Josefsson is the only valid
upstream release manager for libidn2.

debian/upstream/signing-key.asc is 15M, and contains many, many keys,
most of which should certainly not be signing libidn2 upstream releases:

% gpg --list-packets libidn2_2.0.4-1.1.debian/upstream/signing-key.asc | grep 
':user ID packet:'
...
:user ID packet: "Mark Shuttleworth <mark.shuttlewo...@ubuntu.com>"
...
:user ID packet: "Lenny GR vote key (Ephemeral Key) <gr_le...@vote.debian.org>"
...
:user ID packet: "Launchpad PPA for OpenOffice.org Scribblers"
...

Please remove debian/upstream-signing-key.pgp, and replace
debian/upstream/signing-key.asc with a smaller file containing the
minimized public keys of the upstream developers whose signatures should be
considered normal for this package. uscan(1) describes how to do this in
§(KEYRING FILE EXAMPLES). gpg --list-packets can be used to check that
the result has the content you expect.

I noticed this while uploading an NMU for #881915 and #881968 and wondering
why I was uploading a larger-than-expected .debian.tar.xz file.

Thanks,
    smcv

_______________________________________________
Help-libidn mailing list
Help-libidn@gnu.org
https://lists.gnu.org/mailman/listinfo/help-libidn

Reply via email to