[PKG-Openstack-devel] Bug#836562: python-tosca-parser: gpg key too short in test script
D Haley
mycae at gmx.com
Sat Sep 3 23:37:05 UTC 2016
Source: python-tosca-parser
Version: 0.1.0-3
Severity: important
Dear Maintainer,
Your package appears to contain commands which use a short gpg-key
ID. These have recently been identified as potential security concerns,
due to a chance that the wrong key can be imported in the case of a
forced key-ID collision [1].
The affected file is:
tests/artifacts/mongodb/create.sh [2]
This appears to be an environment setup file for installing mongodb,
and may not be executed directly as part of the debian package. As such,
this may require forwarding upstream.
Please consider upgrading to a full key ID, for example, replace the command:
gpg --keyserver <keyserver> --recv-keys <key_short_fingerprint>
with
gpg --keyserver <keyserver> --recv-keys <key_full_id>
eg (not specific to your package):
gpg --keyserver keyring.debian.org --recv-keys 05C3E651
becomes:
gpg --keyserver keyring.debian.org --recv-keys 0x0D59D2B15144766A14D241C66BAF400B05C3E651
(Note the tail bytes are the same)
This has previously been forwarded to the security team, who advised to
report individual public bugs against each package - hence this bug.
[1] http://lwn.net/Articles/697417
[2] https://anonscm.debian.org/cgit/openstack/python-tosca-parser.git/tree/toscaparser/tests/artifacts/mongodb/create.sh?id=9079027c658de670e735d7a60c0c548663f0670d
More information about the Openstack-devel
mailing list