Package: reportbug Version: 5.1.1 Severity: normal -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
When using --gpg (or the "sign" config variable) reportbug is not signing attachments to the bug report. This is a fairly big problem for a number of reasons. First of all, the attachments are not signed! In this regard reportbug is not doing what it claims. If there is good reason to *not* sign attachments, it needs to be well documented (although I can't conceive of any reason why the attachments shouldn't also be included in the signature). Second, it can trick people into signing content-less messages, as it did to me recently (see #630004). This is a fairly big security concern, since these messages can be used in attacks on the signer or their correspondents. Thanks. jamie. - -- Package-specific info: ** Environment settings: EDITOR="emacs -Q -nw" INTERFACE="text" ** /home/jrollins/.reportbugrc: reportbug_version "3.2" realname "Jameson Graef Rollins" email "jroll...@finestructure.net" mode advanced ui text editor "emacs -nw" sign gpg - -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (600, 'testing'), (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages reportbug depends on: ii apt 0.8.14.1 Advanced front-end for dpkg ii python 2.6.6-14 interactive high-level object-orie ii python-reportbug 5.1.1 Python modules for interacting wit reportbug recommends no packages. Versions of packages reportbug suggests: pn debconf-utils <none> (no description available) pn debsums <none> (no description available) ii dlocate 1.02 fast alternative to dpkg -L and dp ii emacs23-bin-common 23.3+1-1 The GNU Emacs editor's shared, arc ii file 5.04-5+b1 Determines file type using "magic" ii gnupg 1.4.11-3 GNU privacy guard - a free PGP rep ii postfix [mail-transport-agen 2.8.3-1 High-performance mail transport ag ii python-gtk2 2.24.0-1 Python bindings for the GTK+ widge pn python-gtkspell <none> (no description available) pn python-urwid <none> (no description available) pn python-vte <none> (no description available) ii xdg-utils 1.1.0~rc1-2 desktop integration utilities from - -- no debconf information -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJN8lFaAAoJEO00zqvie6q8iJIQAIrZ8ngCBVcDfiaq+PUY++TD HnRnTuUIEwO52xi8BD2gB/+WPZYg7uulftw7PkYPogd4XcttesjLfT9YcilDkK+T 3WxL83zswsbw4ZV62cEzX3r7gw4kINfho26NQb2jaMm3olbqL32pb4qUXTTzQnRG pAGGpGgSDuVfDd5ylOOOA/FygzVqAAS9exqhwf3hRkCjhm6cR6VD5sUOcLYEz29a 3cz28+9FcfMH+OlrtaVu1aJQwE2EuJ5F8xJlDeFW5+j173Pt7BDXOoTybFsgSOC0 zR9SFw45/9OTrlZupzREAO8d8C+jKdBqvZPvb/3mGLqOFnsZRNcuW/1X4irOlwwM r0fR9QizfNO3uils87r1/vwTzE3mJQe/vueO4IZ2ECyU4n16rxzI4YuKstsuXdha hUFteBH7U4hQjHnQF8fHfE5B/3s77UnBBebaohjGSd0JyKw6kYB+l9ZebaCnhISB TzlfXizjum14gg6p/x2M/Ct9W2KoD0HoGPEbjT+yIRBCkQ4anFUNYD0V5QXbXcWS fJCxLuev6StlqY1qrYRttIxtTukmN2vcwzyQFz/uVTxpQtB15Ui07hSFO2+QPwyo G1clNlhyzlXhSdnDv7EM8+mkqF6jnKzpyp2w+98NkRMKUSV7m4b77gMhiCcJmOLo 51lJpq/lLU+LFeT5qrnw =r5OW -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
