[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#770870: marked as done (cdimage.debian.org: Untrustworthy key used to sign SHA512SUMS: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B)

Your message dated Mon, 24 Nov 2014 20:48:51 +0000
with message-id <1416862131.28376.27.camel@adam-barratt.org.uk>
and subject line [Fwd: I don't use this email address. Re: Bug#770870: Re: cdimage.debian.org: Untrustworthy key used to sign SHA512SUMS: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B]
has caused the Debian Bug report #770870,
regarding cdimage.debian.org: Untrustworthy key used to sign SHA512SUMS: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
770870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770870
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: cdimage.debian.org
Severity: important

Dear Maintainer,

Debian 7.7 SHA512SUMS are signed with a key that doesn't appear to be signed
by anyone on the Debian keyring, leaving SHA512SUMS unverifiable by any easy
means.

Please note that I have the debian keyring installed in GPG on the machine
on which the following operation was performed.


$ gpg --verify SHA512SUMS.sign
gpg: Signature made Sun Oct 19 19:45:39 2014 PDT using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B


Meanwhile, it appears this has been noted as a problem since 2011 on the
Debian forums: http://forums.debian.net/viewtopic.php?f=17&t=62272&p=561324

I shouldn't need to remind anyone that we are living in an age of known
MitM attacks versus FOSS software downloads.  Verifying Debian ISOs NEEDS TO
BE EASY.  I can pretty much guarantee you I'm the 1 in 100 users who wouldn't
have given up reporting this when:

* I got an HTTP 500 from the "HyperEstraier based search engine" for Debian
  bugs at http://bugs-search.debian.org/cgi-bin/search.cgi when I looked to
  see if it had already been reported

* I came up against the 11-printed-pages wall of text at https://www.debian.org/Bugs/Reporting

* I found through the wall of text that there was no web interface for bug
  reporting, in this, the Year of Our Lord 2014

* I had to install 'reportbug' on a random Raspberry Pi just to get you this
  message.


I know that producing Debian is hard work and that Debian is an accretion of
decades of hard work, but peeps.  Snowden.  NSA.  This is not 1998.  Verifying
downloaded software needs to be EASY TO DO, and you might want bug reporting
to be easy to do, too, even though it involves dealing with lots of dupes from
noobs - if your system is byzantine and/or broken enough to put off actual
software developers, it's ungood.


-- System Information:
Debian Release: 7.6
Architecture: armhf (armv6l)

Kernel: Linux 3.12.28+ (PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---
--- Begin Message --- 
Submitter doesn't accept mail to the submitter address and this isn't a
bug; closing.
--- Begin Message ---
Hi there, thanks for emailing me at gordon.morehouse@gmail.com. I don't use this email address. Please contact me in a different way to obtain my actual email address.


--- End Message ---

--- End Message ---
Reply to: