[Debian-med-packaging] Bug#836553: Bug#836553: Bug#836553: poretools: short gpg key used in script
Charles Plessy
plessy at debian.org
Sun Sep 4 13:25:31 UTC 2016
Control: forwarded -1 https://github.com/arq5x/poretools/pull/94
Le Sat, Sep 03, 2016 at 11:54:50PM -0700, Afif Elghraoui a écrit :
>
> على السبت 3 أيلول 2016 15:34، كتب D Haley:
> >
> > Your package appears to contain commands which use a short gpg-key
> > ID. These have recently been identified as potential security concerns,
> > due to a chance that the wrong key can be imported in the case of a
> > forced key-ID collision [1].
> >
> > The affected file is:
> > Dockerfile [2]
> >
> > Its not clear to me that the affected file is actually used in the build
> > script, but it may be referenced somewhere in the package
>
> Yes, this file is not used at all during the build process or
> distributed in the binary package. I believe it's just used by upstream.
> I can repack the tarball and exclude this file if that will alleviate
> concerns.
Hi Afif,
I beleive that s/E084DAB9/E298A3A825C0D65DFD57CBB651716619E084DAB9/ would solve
the problem.
By the way, this is the key of CRAN's "Ubuntu packages for R" Repository
(https://cran.r-project.org/bin/linux/ubuntu/README.html), and I contacted the
authors to suggest them to use a longer ID as well. I also sent a pull request
to the Poretools author.
Have a nice day,
--
Charles
More information about the Debian-med-packaging
mailing list