package python-debian tags 695932 moreinfo unreproducible thanks On Fri, Dec 14, 2012 at 02:31:03PM +0000, Ansgar Burchardt wrote: > Package: python-debian > Version: 0.1.21+nmu2 > Severity: important > > debian.deb822 does not handle signed data properly and can be tricked into > processing unsigned data while thinking the data is signed. > > I have attached an example program and *.dsc demonstrating the problem: it > will > output "gnupg", but the Source field in the signed part of the file actually > says "dpkg". > > See also #695855.
Thanks for the report. Unfortunately (or fortunately, depending on your point of view), I cannot reproduce this, either with 0.1.22 or 0.1.21+nmu2. (Because the keyring has also changed, I had to replace the signed portion with a different signed .dsc for dpkg in order for i.valid() to return True, but the end result was that d['Source'] is 'dpkg' and not 'gnupg' as in the report.) I'm tagging the bug unreproducible, but please respond if you can still reproduce this and we'll try to figure out under what circumstances this can actually happen. -- John Wright <j...@debian.org>
signature.asc
Description: Digital signature
