[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bug#882581: libidn2: debian/upstream/signing-key.asc is 15M and contains
|
From: |
Bernhard Schmidt |
|
Subject: |
Bug#882581: libidn2: debian/upstream/signing-key.asc is 15M and contains unrelated public keys |
|
Date: |
Mon, 30 Jul 2018 00:35:03 +0200 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
Control: forwarded -1 https://salsa.debian.org/debian/libidn2/merge_requests/1
Control: tags -1 patch
On Fri, Nov 24, 2017 at 10:08:41AM +0100, Tim Rühsen wrote:
> On 11/24/2017 09:40 AM, Simon McVittie wrote:
> > Source: libidn2
> > Version: 2.0.4-1.1
> > Severity: normal
> >
> > libidn2 contains both debian/upstream-signing-key.pgp and
> > debian/upstream/signing-key.asc, which appears to have been a mistake.
> > debian/upstream/signing-key.asc also appears to have unintended content.
> >
> > debian/upstream-signing-key.pgp is 72K, which seems plausible for a public
> > key (although the filename debian/upstream/signing-key.asc is preferred,
> > and uscan(1) recommends using gpg --export --export-options export-minimal
> > --armor to include only the public key, user IDs and self-signatures, and
> > not signatures by other people, to reduce the size further). It has two user
> > IDs:
> >
> > % gpg --list-packets libidn2_2.0.4-1.1.debian/upstream-signing-key.pgp |
> > grep ':user ID packet:'
> > :user ID packet: "Simon Josefsson <address@hidden>"
> > :user ID packet: "Simon Josefsson <address@hidden>"
> >
> > and it seems entirely plausible that Simon Josefsson is the only valid
> > upstream release manager for libidn2.
>
> Simon and me (Tim Rühsen <address@hidden>) - I signed the last few
> upstream releases with key 0x08302DB6A2670428.
I have made the proposed changes in a seperate branch and added a merge
request on Salsa.
Bernhard
- Bug#882581: libidn2: debian/upstream/signing-key.asc is 15M and contains unrelated public keys,
Bernhard Schmidt <=