Source: squid Version: 6.10-1ubuntu1 Severity: normal Tags: patch X-Debbugs-Cc: athos.ribe...@canonical.com
Dear Maintainer, The squid upstream project hosts its keyring at squid-cache.org/pgp.asc. The latest tarballs for squid 6.10 are no longer being signed by the (only) key in the keyring in d/u/signing-key.asc. Let's update that keyring to include the following key: 28F8 5029 FEF6 E865 "Francesco Chemolli (code signing key) <kin...@squid-cache.org>" This key is available at the upstream keyring and is signed by the previous key included in this keyring. Note that, although a uscan --download-current does fetch the correct source tarball from the upstream project and reports a good signature from the key above, checking the current tarball in the archive (e.g., with gpgv) will report a bad signature from that key. This happens because the upstream tarball was re-packed and the checksums changed. Also note that the only differences between the "good" and the "bad" signed tarballs are file ownership which changed due to repacking it. A patch to update the keyring file is available at https://salsa.debian.org/squid-team/squid/-/merge_requests/26. Since I Could not find an announcement pointing to the current key being used, I kept the signature from the former key when expanding the keyring. Thanks for considering the patch.
