Guillem Jover wrote... > A recent dupload improvement to switch from its GnuPG based OpenPGP > verification hook to use the dpkg OpenPGP multi-backend > implementation, which as a side effect got rid of a very old code path > that was ignoring some GnuPG verification failures, resurfaced an old > known problem with OpenPGP certificates with SHA-1 issues in the > Debian keyrings.
Being one of those on the list, I'm even more confused than I'd be about
this anyway.
So those people you listed:
* Did they something wrong (although certainly with best intentions)?
* Are they just victim of the circumstances (versions of the software,
unhandy configuration, ...)?
* Is this a problem if apparently everything went fine in the many past
years?
* Is there a problem to come?
* Is there something they should do about it?
* Is there something they can do about it? Unless perhaps creating
a new key?
* Are measures in place newly generated keys will not suffer from
these problems?
# appears as big_question_marks
Christoph
signature.asc
Description: PGP signature
