Bug#695932: deb822: flawed handling of signed data
John Wright
jsw at debian.org
Tue Aug 26 23:55:20 UTC 2014
On Wed, Aug 27, 2014 at 01:36:33AM +0200, Ansgar Burchardt wrote:
> Control: tag -1 - moreinfo unreproducible
>
> John Wright <jsw at debian.org> writes:
> > On Fri, Dec 14, 2012 at 02:31:03PM +0000, Ansgar Burchardt wrote:
> >> Package: python-debian
> >> Version: 0.1.21+nmu2
> >> Severity: important
> >>
> >> debian.deb822 does not handle signed data properly and can be tricked into
> >> processing unsigned data while thinking the data is signed.
> >>
> >> I have attached an example program and *.dsc demonstrating the problem: it will
> >> output "gnupg", but the Source field in the signed part of the file actually
> >> says "dpkg".
> >>
> >> See also #695855.
> >
> > Thanks for the report. Unfortunately (or fortunately, depending on your
> > point of view), I cannot reproduce this, either with 0.1.22 or
> > 0.1.21+nmu2. (Because the keyring has also changed, I had to replace
> > the signed portion with a different signed .dsc for dpkg in order for
> > i.valid() to return True, but the end result was that d['Source'] is
> > 'dpkg' and not 'gnupg' as in the report.)
>
> There are subtle changes to the signed part that are easy to miss. I've
> attached an updated example .dsc (which is signed with a key still in
> the keyring).
Well, this time it works as you say. I must have dropped something
important when I manually updated the test file before... Thanks!
--
John Wright <jsw at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-python-debian-maint/attachments/20140826/00f4bc1f/attachment.sig>
More information about the pkg-python-debian-maint
mailing list