My attempts to run the reproducer program have not been successful, as
*none* of the signatures validate. Not even the known good case.
$ GOPATH=/usr/share/gocode/ go run sig_spoof.go
Verifying not tampered...
openpgp: invalid argument: no armored data found
Verifying spoofed hash...
openpgp: inva
[Adding debian-devel to the list]
On Sun, Aug 02, 2020 at 06:21:30PM +0200, Moritz Mühlenhoff wrote:
> > We are at this point again. ESR 68 will be EOL on September 22nd, when 78.3
> > comes out. We have some time still, but if we want FF and TB to keep being
> > supported, we'll have to do some t
Hi Sylvain,
On Mo 31 Aug 2020 12:34:07 CEST, Sylvain Beucler wrote:
Hi all,
On 03/08/2020 16:43, Utkarsh Gupta wrote:
On Mon, Aug 3, 2020 at 6:02 PM Sylvain Beucler wrote:
This version is now impacted by new security issues, such as
CVE-2020-8163, so I would recommend upgrading anyway. Th
On Mon, Aug 31, 2020 at 03:41:25PM +0200, Sylvain Beucler wrote:
> I consider each separately and I can write a detailed rationale, but I
> feel out-of-place doing so (I'm not the one designing and justifying the
> procedures), and 10 days with no activity feels a bit long to resume
> this kind of
Hi,
On 31/08/2020 14:44, Holger Levsen wrote:
> On Fri, Aug 21, 2020 at 12:59:54PM +0200, Sylvain Beucler wrote:
>> Still in this particular case, in our process the team coordinator cites
>> contributors by running a heuristic-based script, and forwarding it
>> verbatim to the team (and the whole
On Fri, Aug 21, 2020 at 12:59:54PM +0200, Sylvain Beucler wrote:
> In this particular case of missing web imports, one real issue is a
> fragile workflow involving duplicate mail/web announcements due to lack
> of automation/integration.
sure, and my remarks are just to help with this sub-optimal
Hi all,
On 03/08/2020 16:43, Utkarsh Gupta wrote:
> On Mon, Aug 3, 2020 at 6:02 PM Sylvain Beucler wrote:
>> This version is now impacted by new security issues, such as
>> CVE-2020-8163, so I would recommend upgrading anyway. There is no place
>> to upload a new version (in particular, not in E
Hi,
During the month of August, I have spent 21.75h working on:
- clamav security update
- thunderbird 68.11 update
- libx11 security update
- gupnp security update, including finding a UAF (use-after-free) issue that led
to a server crash
- security-tracker improvements in the python3 work
- fir
hi,
today four packages were unclaimed for LTS:
- asyncpg (Utkarsh Gupta)
- firefox-esr (Emilio)
- guacamole-client (Mike Gabriel)
- jupyter-notebook (Mike Gabriel)
and one for ELTS:
- clamav (Utkarsh Gupta)
Then, it seems the end of the month is near and 3 people probably claimed too
many pac