Bug#695932: deb822: flawed handling of signed data
John Wright
jsw at debian.org
Tue Aug 26 22:56:14 UTC 2014
package python-debian
tags 695932 moreinfo unreproducible
thanks
On Fri, Dec 14, 2012 at 02:31:03PM +0000, Ansgar Burchardt wrote:
> Package: python-debian
> Version: 0.1.21+nmu2
> Severity: important
>
> debian.deb822 does not handle signed data properly and can be tricked into
> processing unsigned data while thinking the data is signed.
>
> I have attached an example program and *.dsc demonstrating the problem: it will
> output "gnupg", but the Source field in the signed part of the file actually
> says "dpkg".
>
> See also #695855.
Thanks for the report. Unfortunately (or fortunately, depending on your
point of view), I cannot reproduce this, either with 0.1.22 or
0.1.21+nmu2. (Because the keyring has also changed, I had to replace
the signed portion with a different signed .dsc for dpkg in order for
i.valid() to return True, but the end result was that d['Source'] is
'dpkg' and not 'gnupg' as in the report.)
I'm tagging the bug unreproducible, but please respond if you can still
reproduce this and we'll try to figure out under what circumstances this
can actually happen.
--
John Wright <jsw at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-python-debian-maint/attachments/20140826/c281ae21/attachment.sig>
More information about the pkg-python-debian-maint
mailing list