Your message dated Sat, 8 Mar 2025 07:23:07 +0100
with message-id <z8vis5uz6zqy5...@argenau.bebt.de>
and subject line Re: Bug#1098951: ostree: FTBFS against gpg 2.4.7-5: FAIL:
tests/test-gpg-verify-result
has caused the Debian Bug report #1098951,
regarding ostree: FTBFS against gpg 2.4.7-5 and >= 2.2.46-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1098951: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098951
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ostree
Version: 2025.1-1
Severity: important
Hello,
ostree throws a testsuite error against gpg 2.4.7-5:
FAIL: tests/test-gpg-verify-result 5 /gpg-verify-result/expired-key -
OSTree:ERROR:tests/test-gpg-verify-result.c:288:test_expired_key: 'key_expired'
should be TRUE
This did not happen against 2.4.7-4. 2.4.7-5 adds number of patches and
the triggering commit is
62d8d2f024d5e5c3289d5bf7892013dc18eac4b0 void DoS on signature verification
https://salsa.debian.org/debian/gnupg2/-/commit/62d8d2f024d5e5c3289d5bf7892013dc18eac4b0
which adds three patches from upstream STABLE-BRANCH-2-4:
+ 25d748c3dfc0102f9e54afea59ff26b3969bd8c1 gpg: Lookup key for
merging/inserting only by primary key.
+ da0164efc7f32013bc24d97b9afa9f8d67c318bb gpg: Fix a verification DoS
due to a malicious subkey in the keyring.
+ 9cd371b12d80cfc5bc85cb6e5f5eebb4decbe94f gpg: Remove a signature
check function wrapper.
Ostree's autopkgtest throws more errors, which I do not see on a local
rebuild in sid chroot.
cu Andreas
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.12-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
On 2025-02-26 Andreas Metzler <ametz...@bebt.de> wrote:
> Control: retitle -1 ostree: FTBFS against gpg 2.4.7-5 and >= 2.2.46-2
> Control: severity -1 serious
> On 2025-02-26 Andreas Metzler <ametz...@bebt.de> wrote:
> > Source: ostree
> > Version: 2025.1-1
> > Severity: important
> > Hello,
> > ostree throws a testsuite error against gpg 2.4.7-5:
> > FAIL: tests/test-gpg-verify-result 5 /gpg-verify-result/expired-key -
> > OSTree:ERROR:tests/test-gpg-verify-result.c:288:test_expired_key:
> > 'key_expired' should be TRUE
> [...]
> With gpg 2.2.46-2 also cherry-picking these patches the same testsuite
> error is triggered. Bumping severity since this affects sid/trixie.
This was fixed on the gnupg side with 2.4.7-8 and 2.2.46-4.
cu Andreas
--- End Message ---
