squeeze update of libmodule-signature-perl?

Santiago Ruano Rincón santiagorr at riseup.net
Tue Jun 30 12:00:57 UTC 2015 

El 15/05/15 a las 20:23, Salvatore Bonaccorso escribió:
> Hi,
> 
> On Fri, Apr 24, 2015 at 06:36:28AM +0200, Salvatore Bonaccorso wrote:
> > Hi Raphael,
> > 
> > On Mon, Apr 20, 2015 at 03:54:51PM +0200, Raphael Hertzog wrote:
> > > Hello dear maintainer(s),
> > > 
> > > the Debian LTS team would like to fix the security issues which are
> > > currently open in the Squeeze version of libmodule-signature-perl:
> > > https://security-tracker.debian.org/tracker/source-package/libmodule-signature-perl
> > > 

[snip]

> > 
> > Sorry for the late relpy. I will first focus on the wheezy, jessie and
> > unstable upload but might then as well look at it for squeeze-lts (no
> > commitment yet to it).
> > 
> > In case somebody else takes care of it would be great if the changes
> > can be pushed back in a squeeze branch in the pkg-perl repos.
> > 
> > Note that it needs to be investigated if libtest-signature-perl will
> > need an adaption for the changes.
> 
> Small heads up on this: I just have released updates for
> wheezy-security and jessie-security, but wont have time to look at
> squeeze-lts as well this weekend. In case a LTS team member wants to
> take it, I updated as well libtest-signature-perl for compatiblity
> with the fix for CVE-2015-3407. For doing a test one could use
> libtest-distmanifest-perl.

Hi,

I've prepared a libmodule-signature-perl package for squeeze. I think
it's ready to be uploaded, but it'd be great it you can take a look if
everything is ok.

cpansign works fine:
$ cpansign -v
Executing gpg --verify --batch --no-tty --keyserver=hkp://pool.sks-keyservers.net:11371 --keyserver-options=auto-key-retrieve /tmp/4uwKrdiyLS
gpg: Signature made Sun Feb 13 14:07:43 2011 CET using RSA key ID 4526F399
gpg: Good signature from "David Bremner <bremner at debian.org>"
gpg:                 aka "David Bremner <bremner at unb.ca>"
gpg:                 aka "David Bremner <david at tethera.net>"
gpg: WARNING: This subkey has been revoked by its owner!
gpg: reason for revocation: Key is no longer used
gpg: revocation comment: revoking 1k subkeys
gpg: Note: This key has expired!
Primary key fingerprint: 815B 6398 2A79 F8E7 C727  86C4 762B 57BB 7842 06AD
     Subkey fingerprint: 4B29 79BE 9A99 331A 56BB  2616 4E28 8DFF 4526 F399
==> Signature verified OK! <==

Upstream Test::Signature also does:
$ make test
...
Primary key fingerprint: 66B2 B78E D1B7 7641 4861  D592 B4B3 DD37 3C35 01A0
t/0-signature.t .. ok   
...

The package is available at: 

    deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/

And at the squeeze-lts branch in my personal git respository:

 git clone  git://anonscm.debian.org/users/santiago/libmodule-signature-perl

I don't have permissions to push into pkg-perl.


I will also update squeeze's libtest-signature-perl. BTW, latest
libtest-signature-perl needs to be imported in pkg-perl git repo.

Cheers,

Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20150630/94f4611f/attachment.sig>

More information about the pkg-perl-maintainers mailing list