On Wed, Aug 27, 2014 at 01:36:33AM +0200, Ansgar Burchardt wrote: > Control: tag -1 - moreinfo unreproducible > > John Wright <j...@debian.org> writes: > > On Fri, Dec 14, 2012 at 02:31:03PM +0000, Ansgar Burchardt wrote: > >> Package: python-debian > >> Version: 0.1.21+nmu2 > >> Severity: important > >> > >> debian.deb822 does not handle signed data properly and can be tricked into > >> processing unsigned data while thinking the data is signed. > >> > >> I have attached an example program and *.dsc demonstrating the problem: it > >> will > >> output "gnupg", but the Source field in the signed part of the file > >> actually > >> says "dpkg". > >> > >> See also #695855. > > > > Thanks for the report. Unfortunately (or fortunately, depending on your > > point of view), I cannot reproduce this, either with 0.1.22 or > > 0.1.21+nmu2. (Because the keyring has also changed, I had to replace > > the signed portion with a different signed .dsc for dpkg in order for > > i.valid() to return True, but the end result was that d['Source'] is > > 'dpkg' and not 'gnupg' as in the report.) > > There are subtle changes to the signed part that are easy to miss. I've > attached an updated example .dsc (which is signed with a key still in > the keyring).
Well, this time it works as you say. I must have dropped something important when I manually updated the test file before... Thanks! -- John Wright <j...@debian.org>
signature.asc
Description: Digital signature
