[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: squeeze update of libmodule-signature-perl?

El 15/05/15 a las 20:23, Salvatore Bonaccorso escribió:
> Hi,
> On Fri, Apr 24, 2015 at 06:36:28AM +0200, Salvatore Bonaccorso wrote:
> > Hi Raphael,
> > 
> > On Mon, Apr 20, 2015 at 03:54:51PM +0200, Raphael Hertzog wrote:
> > > Hello dear maintainer(s),
> > > 
> > > the Debian LTS team would like to fix the security issues which are
> > > currently open in the Squeeze version of libmodule-signature-perl:
> > > https://security-tracker.debian.org/tracker/source-package/libmodule-signature-perl
> > > 


> > 
> > Sorry for the late relpy. I will first focus on the wheezy, jessie and
> > unstable upload but might then as well look at it for squeeze-lts (no
> > commitment yet to it).
> > 
> > In case somebody else takes care of it would be great if the changes
> > can be pushed back in a squeeze branch in the pkg-perl repos.
> > 
> > Note that it needs to be investigated if libtest-signature-perl will
> > need an adaption for the changes.
> Small heads up on this: I just have released updates for
> wheezy-security and jessie-security, but wont have time to look at
> squeeze-lts as well this weekend. In case a LTS team member wants to
> take it, I updated as well libtest-signature-perl for compatiblity
> with the fix for CVE-2015-3407. For doing a test one could use
> libtest-distmanifest-perl.


I've prepared a libmodule-signature-perl package for squeeze. I think
it's ready to be uploaded, but it'd be great it you can take a look if
everything is ok.

cpansign works fine:
$ cpansign -v
Executing gpg --verify --batch --no-tty --keyserver=hkp://pool.sks-keyservers.net:11371 --keyserver-options=auto-key-retrieve /tmp/4uwKrdiyLS
gpg: Signature made Sun Feb 13 14:07:43 2011 CET using RSA key ID 4526F399
gpg: Good signature from "David Bremner <bremner@debian.org>"
gpg:                 aka "David Bremner <bremner@unb.ca>"
gpg:                 aka "David Bremner <david@tethera.net>"
gpg: WARNING: This subkey has been revoked by its owner!
gpg: reason for revocation: Key is no longer used
gpg: revocation comment: revoking 1k subkeys
gpg: Note: This key has expired!
Primary key fingerprint: 815B 6398 2A79 F8E7 C727  86C4 762B 57BB 7842 06AD
     Subkey fingerprint: 4B29 79BE 9A99 331A 56BB  2616 4E28 8DFF 4526 F399
==> Signature verified OK! <==

Upstream Test::Signature also does:
$ make test
Primary key fingerprint: 66B2 B78E D1B7 7641 4861  D592 B4B3 DD37 3C35 01A0
t/0-signature.t .. ok   

The package is available at: 

    deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/

And at the squeeze-lts branch in my personal git respository:

 git clone  git://anonscm.debian.org/users/santiago/libmodule-signature-perl

I don't have permissions to push into pkg-perl.

I will also update squeeze's libtest-signature-perl. BTW, latest
libtest-signature-perl needs to be imported in pkg-perl git repo.



Attachment: signature.asc
Description: Digital signature

Reply to: