Bug#836553: [Debian-med-packaging] Bug#836553: Bug#836553: poretools: short gpg key used in script
Control: tag -1 + pending Hi, Charles, على الأحد 4 أيلول 2016 06:25، كتب Charles Plessy: > Hi Afif, > > I beleive that s/E084DAB9/E298A3A825C0D65DFD57CBB651716619E084DAB9/ would > solve > the problem. > > By the way, this is the key of CRAN's "Ubuntu packages for R" Repository > (https://cran.r-project.org/bin/linux/ubuntu/README.html), and I contacted the > authors to suggest them to use a longer ID as well. I also sent a pull > request > to the Poretools author. > Thanks for reporting it to the CRAN repository maintainers. As far as poretools is concerned, all R-related packages have been dropped as dependencies in the latest release. It seems the Dockerfile was contributed by a third party and has not kept up. I've simply excluded it from the tarball in the next release. Thanks and regards Afif -- Afif Elghraoui | عفيف الغراوي http://afif.ghraoui.name
Bug#836553: [Debian-med-packaging] Bug#836553: Bug#836553: poretools: short gpg key used in script
Control: forwarded -1 https://github.com/arq5x/poretools/pull/94 Le Sat, Sep 03, 2016 at 11:54:50PM -0700, Afif Elghraoui a écrit : > > على السبت 3 أيلول 2016 15:34، كتب D Haley: > > > > Your package appears to contain commands which use a short gpg-key > > ID. These have recently been identified as potential security concerns, > > due to a chance that the wrong key can be imported in the case of a > > forced key-ID collision [1]. > > > > The affected file is: > > Dockerfile [2] > > > > Its not clear to me that the affected file is actually used in the build > > script, but it may be referenced somewhere in the package > > Yes, this file is not used at all during the build process or > distributed in the binary package. I believe it's just used by upstream. > I can repack the tarball and exclude this file if that will alleviate > concerns. Hi Afif, I beleive that s/E084DAB9/E298A3A825C0D65DFD57CBB651716619E084DAB9/ would solve the problem. By the way, this is the key of CRAN's "Ubuntu packages for R" Repository (https://cran.r-project.org/bin/linux/ubuntu/README.html), and I contacted the authors to suggest them to use a longer ID as well. I also sent a pull request to the Poretools author. Have a nice day, -- Charles
Bug#836553: [Debian-med-packaging] Bug#836553: poretools: short gpg key used in script
Hello, على السبت 3 أيلول 2016 15:34، كتب D Haley: > Package: poretools > Version: 0.5.1-1 > Severity: important > > Dear Maintainer, > > Your package appears to contain commands which use a short gpg-key > ID. These have recently been identified as potential security concerns, > due to a chance that the wrong key can be imported in the case of a > forced key-ID collision [1]. > > The affected file is: > Dockerfile [2] > > Its not clear to me that the affected file is actually used in the build > script, but it may be referenced somewhere in the package > Yes, this file is not used at all during the build process or distributed in the binary package. I believe it's just used by upstream. I can repack the tarball and exclude this file if that will alleviate concerns. Thanks and regards Afif -- Afif Elghraoui | عفيف الغراوي http://afif.ghraoui.name
Bug#836553: poretools: short gpg key used in script
Package: poretools Version: 0.5.1-1 Severity: important Dear Maintainer, Your package appears to contain commands which use a short gpg-key ID. These have recently been identified as potential security concerns, due to a chance that the wrong key can be imported in the case of a forced key-ID collision [1]. The affected file is: Dockerfile [2] Its not clear to me that the affected file is actually used in the build script, but it may be referenced somewhere in the package Please consider upgrading to a full key ID, for example, replace the command: gpg --keyserver --recv-keys with gpg --keyserver --recv-keys eg (not specific to your package): gpg --keyserver keyring.debian.org --recv-keys 05C3E651 becomes: gpg --keyserver keyring.debian.org --recv-keys 0x0D59D2B15144766A14D241C66BAF400B05C3E651 (Note the tail bytes are the same) This has previously been forwarded to the security team, who advised to report individual public bugs against each package - hence this bug. [1] http://lwn.net/Articles/697417 [2] http://http.debian.net/debian/pool/main/p/poretools/poretools_0.5.1.orig.tar.gz