[Python-modules-team] Bug#836555: Bug#836555: marked as done (kivy: docs describe short gpg key usage)

[Daniel Kahn Gillmor]

Control: reopen 836555
Control: tags 836555 + upstream
Control: forwarded 836555 https://github.com/kivy/kivy/pull/4582

vincent cheng wrote:
> On Sat, Sep 3, 2016 at 3:40 PM, D Haley <mycae at gmx.com> wrote:
>> Source: kivy
>> Version: 1.9.1-1
>> Severity: normal
>>
>> Dear Maintainer,
>>
>> Your package appears to contain commands which use a short gpg-key
>> ID. These have recently been identified as potential security concerns,
>> due to a chance that the wrong key can be imported in the case of a
>> forced key-ID collision [1].
>>
>> The affected file is:
>>  /doc/sources/installation/installation-linux.rst [2]
>
> This file is not installed in any of the binary packages built by
> src:kivy. In addition, it only lists out installation steps for end
> users (and is merely documentation, not executable code), which is
> irrelevant for users who install packages directly from Debian. Hence,
> closing this bug report.

Nonetheless, this is a security vulnerability, and should at least be
reported upstream as part of debian's commitment to our users and free
software.

I've taken the time to do so with a pull request at the URL above.

Once it's fixed upstream and that upstream patch is included in debian,
then a future grep through the debian source archive for the offending
--recv-keys will be cleaned up.

Thanks for maintaining kivy in debian!

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20160904/bba490be/attachment-0001.sig>