[From nobody Tue May 26 11:27:21 2026
Received: (at submit) by bugs.debian.org; 3 Sep 2016 21:58:23 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.0-bugs.debian.org_2005_01_02
 (2014-02-07) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.5 required=4.0 tests=BAYES_00,FREEMAIL_FROM,
 HAS_PACKAGE,HELO_MISC_IP,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RDNS_DYNAMIC,
 SPF_FAIL,URIBL_CNKR,XMAILER_REPORTBUG,X_DEBBUGS_CC autolearn=ham
 autolearn_force=no version=3.4.0-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 31; hammy, 117; neutral, 46; spammy,
 1. spammytokens:0.954-+--H*r:bugs.debian.org
 hammytokens:0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug,
 0.000-+--H*x:reportbug, 0.000-+--H*UA:reportbug, 0.000-+--keyid
Return-path: &lt;mycae@gmx.com&gt;
Received: from host-92-21-35-16.as13285.net ([92.21.35.16] helo=[127.0.1.1])
 by buxtehude.debian.org with esmtp (Exim 4.84_2)
 (envelope-from &lt;mycae@gmx.com&gt;) id 1bgIxC-0001jy-MG
 for submit@bugs.debian.org; Sat, 03 Sep 2016 21:58:23 +0000
Content-Type: text/plain; charset=&quot;us-ascii&quot;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: D Haley &lt;mycae@gmx.com&gt;
To: Debian Bug Tracking System &lt;submit@bugs.debian.org&gt;
Subject: gitlab: short gpg key used in script
Message-ID: &lt;147293989651.2173.10706141658160356703.reportbug@minitop&gt;
X-Mailer: reportbug 6.6.6ubuntu1
Date: Sat, 03 Sep 2016 22:58:16 +0100
X-Debbugs-Cc: mycae@gmx.com
Delivered-To: submit@bugs.debian.org

Package: gitlab
Version: 8.10.5+dfsg-2
Severity: important

Dear Maintainer,

Your package appears to contain commands which use a short gpg-key
ID. These have recently been identified as potential security concerns,
due to a chance that the wrong key can be imported in the case of a
forced key-ID collision [1].

The affected file is:
 Scala.gitlab-ci.yml [2]


Please consider upgrading to a full key ID, for example, replace the command:

 gpg --keyserver &lt;keyserver&gt; --recv-keys &lt;key_short_fingerprint&gt; 

with

 gpg --keyserver  &lt;keyserver&gt; --recv-keys &lt;key_full_id&gt;

eg (not specific to your package):

 gpg --keyserver keyring.debian.org --recv-keys 05C3E651

becomes:

 gpg --keyserver keyring.debian.org --recv-keys 0x0D59D2B15144766A14D241C66BAF400B05C3E651


(Note the tail bytes are the same)

This has previously been forwarded to the security team, who advised to
report individual public bugs against each package - hence this bug.

[1] http://lwn.net/Articles/697417
[2] https://anonscm.debian.org/cgit/pkg-ruby-extras/gitlab.git/tree/vendor/gitlab-ci-yml/Scala.gitlab-ci.yml
]