Guillem Jover wrote...
> A recent dupload improvement to switch from its GnuPG based OpenPGP
> verification hook to use the dpkg OpenPGP multi-backend
> implementation, which as a side effect got rid of a very old code path
> that was ignoring some GnuPG verification failures, resurfaced an old
> known problem with OpenPGP certificates with SHA-1 issues in the
> Debian keyrings.
Being one of those on the list, I'm even more confused than I'd be about
this anyway.
So those people you listed:
* Did they something wrong (although certainly with best intentions)?
* Are they just victim of the circumstances (versions of the software,
unhandy configuration, ...)?
* Is this a problem if apparently everything went fine in the many past
years?
* Is there a problem to come?
* Is there something they should do about it?
* Is there something they can do about it? Unless perhaps creating
a new key?
* Are measures in place newly generated keys will not suffer from
these problems?
# appears as big_question_marks
Christoph
Attachment:
signature.asc
Description: PGP signature