[Debian-med-packaging] Bug#836553: Bug#836553: poretools: short gpg key used in script
Afif Elghraoui
afif at debian.org
Sun Sep 4 06:54:50 UTC 2016
Hello,
على السبت 3 أيلول 2016 15:34، كتب D Haley:
> Package: poretools
> Version: 0.5.1-1
> Severity: important
>
> Dear Maintainer,
>
> Your package appears to contain commands which use a short gpg-key
> ID. These have recently been identified as potential security concerns,
> due to a chance that the wrong key can be imported in the case of a
> forced key-ID collision [1].
>
> The affected file is:
> Dockerfile [2]
>
> Its not clear to me that the affected file is actually used in the build
> script, but it may be referenced somewhere in the package
>
Yes, this file is not used at all during the build process or
distributed in the binary package. I believe it's just used by upstream.
I can repack the tarball and exclude this file if that will alleviate
concerns.
Thanks and regards
Afif
--
Afif Elghraoui | عفيف الغراوي
http://afif.ghraoui.name
More information about the Debian-med-packaging
mailing list