Source: sqlkit Version: 0.9.6.1-2 Severity: normal Dear Maintainer,
Your package appears to contain commands which use a short gpg-key ID. These have recently been identified as potential security concerns, due to a chance that the wrong key can be imported in the case of a forced key-ID collision [1]. The affected file is: doc/misc/tutorial.rst [2] This does appear to be in a documentation file, however the instructions are listed under the Debian section of the tutorial. This may be an upstream problem, and may require forwarding on to them. Please consider upgrading to a full key ID, for example, replace the command: gpg --keyserver <keyserver> --recv-keys <key_short_fingerprint> with gpg --keyserver <keyserver> --recv-keys <key_full_id> eg (not specific to your package): gpg --keyserver keyring.debian.org --recv-keys 05C3E651 becomes: gpg --keyserver keyring.debian.org --recv-keys 0x0D59D2B15144766A14D241C66BAF400B05C3E651 (Note the tail bytes are the same) This has previously been forwarded to the security team, who advised to report individual public bugs against each package - hence this bug. [1] http://lwn.net/Articles/697417 [2] https://anonscm.debian.org/cgit/collab-maint/sqlkit.git/tree/doc/misc/tutorial.rst?id=2e8775efbc8acf88fb675486464a60c08c44eeb7
