Your message dated Mon, 24 Nov 2014 20:48:51 +0000 with message-id <1416862131.28376.27.camel@adam-barratt.org.uk> and subject line [Fwd: I don't use this email address. Re: Bug#770870: Re: cdimage.debian.org: Untrustworthy key used to sign SHA512SUMS: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B] has caused the Debian Bug report #770870, regarding cdimage.debian.org: Untrustworthy key used to sign SHA512SUMS: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 770870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770870 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: cdimage.debian.org: Untrustworthy key used to sign SHA512SUMS: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
- From: Gordon Morehouse <gordon.morehouse@gmail.com>
- Date: Mon, 24 Nov 2014 12:21:14 -0800
- Message-id: <[🔎] 20141124202114.19833.71178.reportbug@chehalem>
Package: cdimage.debian.org Severity: important Dear Maintainer, Debian 7.7 SHA512SUMS are signed with a key that doesn't appear to be signed by anyone on the Debian keyring, leaving SHA512SUMS unverifiable by any easy means. Please note that I have the debian keyring installed in GPG on the machine on which the following operation was performed. $ gpg --verify SHA512SUMS.sign gpg: Signature made Sun Oct 19 19:45:39 2014 PDT using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B Meanwhile, it appears this has been noted as a problem since 2011 on the Debian forums: http://forums.debian.net/viewtopic.php?f=17&t=62272&p=561324 I shouldn't need to remind anyone that we are living in an age of known MitM attacks versus FOSS software downloads. Verifying Debian ISOs NEEDS TO BE EASY. I can pretty much guarantee you I'm the 1 in 100 users who wouldn't have given up reporting this when: * I got an HTTP 500 from the "HyperEstraier based search engine" for Debian bugs at http://bugs-search.debian.org/cgi-bin/search.cgi when I looked to see if it had already been reported * I came up against the 11-printed-pages wall of text at https://www.debian.org/Bugs/Reporting * I found through the wall of text that there was no web interface for bug reporting, in this, the Year of Our Lord 2014 * I had to install 'reportbug' on a random Raspberry Pi just to get you this message. I know that producing Debian is hard work and that Debian is an accretion of decades of hard work, but peeps. Snowden. NSA. This is not 1998. Verifying downloaded software needs to be EASY TO DO, and you might want bug reporting to be easy to do, too, even though it involves dealing with lots of dupes from noobs - if your system is byzantine and/or broken enough to put off actual software developers, it's ungood. -- System Information: Debian Release: 7.6 Architecture: armhf (armv6l) Kernel: Linux 3.12.28+ (PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
- To: 770870-done@bugs.debian.org
- Subject: [Fwd: I don't use this email address. Re: Bug#770870: Re: cdimage.debian.org: Untrustworthy key used to sign SHA512SUMS: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B]
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Mon, 24 Nov 2014 20:48:51 +0000
- Message-id: <1416862131.28376.27.camel@adam-barratt.org.uk>
Submitter doesn't accept mail to the submitter address and this isn't a bug; closing.--- Begin Message ---
- To: adam@adam-barratt.org.uk
- Subject: I don't use this email address. Re: Bug#770870: Re: cdimage.debian.org: Untrustworthy key used to sign SHA512SUMS: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
- From: "Gordon Morehouse" <gordon.morehouse@gmail.com>
- Date: Mon, 24 Nov 2014 12:38:17 -0800
- Message-id: <CADPF4LniBKp0HL5VCMdQ5-sgW8NQRwYhX=MiJeVs_VoMR=zHYA@mail.gmail.com>
Hi there, thanks for emailing me at gordon.morehouse@gmail.com. I don't use this email address. Please contact me in a different way to obtain my actual email address.
--- End Message ---
--- End Message ---