On Sat, 2 Feb 2013 23:51:42 -0500 Michael Gilbert wrote:
> package: debian-keyring
> version: 2012.11.15
> severity: important
>
> Signature verification currently fails on source packages that were
> signed by keys that are no longer present in the active keyrings.
> This can easily lead to the i
Date: Sun, 2 Jun 2013 13:47:04 -0400 >From: Michael Gilbert >-
>Body: On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote: >>
package: debian-keyring >> version: 2012.11.15 >> severity: important >> >>
Signature verification currently fails on source packages that were >>
si
Date: Sat, 2 Feb 2013 23:51:42 -0500 >From: Michael Gilbert >-
>Body: ur-type{attachments
On Sat, Jun 1, 2013 at 6:48 PM, Jonathan McDowell wrote:
> tags 699661 wontfix
> thanks
>
> On Sat, Feb 16, 2013 at 03:11:09PM -0500, Michael Gilbert wrote:
>> > Note that signature date is part of the information
>> > contained in the gpg signature block.
>>
>> Rethinking this, I suppose that coul
tags 699661 wontfix
thanks
On Sat, Feb 16, 2013 at 03:11:09PM -0500, Michael Gilbert wrote:
> > Note that signature date is part of the information
> > contained in the gpg signature block.
>
> Rethinking this, I suppose that could be faked with a compromised key.
>
> So, really the trust path w
> Note that signature date is part of the information
> contained in the gpg signature block.
Rethinking this, I suppose that could be faked with a compromised key.
So, really the trust path would also require checking that that
package originated from debian, i.e. that the dsc matches the
inform
On Wed, Feb 13, 2013 at 8:18 PM, Jonathan McDowell wrote:
> On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote:
>> package: debian-keyring
>> version: 2012.11.15
>> severity: important
>>
>> Signature verification currently fails on source packages that were
>> signed by keys that are
On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote:
> package: debian-keyring
> version: 2012.11.15
> severity: important
>
> Signature verification currently fails on source packages that were
> signed by keys that are no longer present in the active keyrings.
> This can easily lead
package: debian-keyring
version: 2012.11.15
severity: important
Signature verification currently fails on source packages that were
signed by keys that are no longer present in the active keyrings.
This can easily lead to the incorrect conclusion that those packages
are not to be trusted or possib
9 matches
Mail list logo
