Bug#771166: marked as done (unblock: emdebian-archive-keyring/2.0.4)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 27 Nov 2014 22:16:05 +0100
with message-id <54779495.4040703@thykier.net>
and subject line Re: Bug#771166: (approval) unblock: emdebian-archive-keyring/2.0.4
has caused the Debian Bug report #771166,
regarding unblock: emdebian-archive-keyring/2.0.4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
771166: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771166
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: (approval) unblock: emdebian-archive-keyring/2.0.4
• From: Neil Williams <codehelp@debian.org>
• Date: Thu, 27 Nov 2014 09:47:20 +0000
• Message-id: <[🔎] 20141127094720.32248.66330.reportbug@sylvester.codehelp>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

The emdebian-archive-keyring needs a security fix. Having
talked with the security team, it does not need a DSA, just
a new upload which revokes the only key in the keyring package.

The emdebian.org server has recently been replaced and no longer
uses the key from the old server. The old server had stopped running
builds, updates or mirror pushes and was subsequently compromised
before being decommissioned. emdebian.org is now running on a new
server but the website needs updates.

The repositories formerly signed by this key have not been updated
for some time - emdebian grip has ceased updates and the toolchains
have moved to Debian experimental. There is no evidence that
the files on the mirrors have been changed since the compromise as
the mirror push had already been disabled some months prior. The
revocation of 0x97BB3B58 has already been uploaded to keyservers.

Please let me know if an unblock would be accepted for
emdebian-archive-keyring. The debdiff is attached and includes
a NEWS file about the change. An update of the package in stable
will also be required.

Once Jessie is released with this update, emdebian-archive-keyring
will be removed from Sid and Stretch.

Please let me know whether you need a bug in the BTS just for this
or whether the security fix can be unblocked without it.

unblock emdebian-archive-keyring/2.0.4

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
armhf
arm64

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash

diffstat for emdebian-archive-keyring-2.0.3 emdebian-archive-keyring-2.0.4

 0x97BB3B58.txt   |   48 +++++++++++++++++++++++++-----------------------
 debian/NEWS      |   14 ++++++++++++++
 debian/changelog |    6 ++++++
 3 files changed, 45 insertions(+), 23 deletions(-)

diff -Nru emdebian-archive-keyring-2.0.3/0x97BB3B58.txt emdebian-archive-keyring-2.0.4/0x97BB3B58.txt
--- emdebian-archive-keyring-2.0.3/0x97BB3B58.txt	2011-03-27 07:14:09.000000000 +0100
+++ emdebian-archive-keyring-2.0.4/0x97BB3B58.txt	2014-11-27 09:26:06.000000000 +0000
@@ -1,5 +1,5 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.6 (GNU/Linux)
+Version: GnuPG v1
 
 mQGiBEY1QygRBACUM8ypZIqJu1O/jjmZJ2XmVHPUMygzcAOXfOsfLBaIz5UmYOCc
 22iFN5Milj4hEpgrVnyGgXZh1vA2xbxGZNdjMfge7z0Bvf93RM6gzVnU4EXWu4sW
@@ -9,26 +9,28 @@
 lncL6e8+b8gG8f+asV2JbdpZCR4KiDyko6VCWZswqpKytrgK+hK+ECS5Mre1Oy+Z
 RuaFBACJcxP4h4M0J1vY0wzlXUw81u+BNJkGanW57JIsP/mwvR4MqLfyi7tAmuPX
 L6/aWsLvLGYZlFJynZ+1mXXoRUevCGcEc9gK/dpTKVYLRsS0TtNXwaY4hwF7QpBb
-gh6Bx/TDBHYjADaYu2EZcwFI29kgwAfwAfyabB/hCfKHT12D5rQcRW1kZWJpYW4g
-QXJjaGl2ZSBTaWduaW5nIEtleYhgBBMRAgAgBQJGNUMoAhsDBgsJCAcDAgQVAggD
-BBYCAwECHgECF4AACgkQtbdyAJe7O1gTpgCgv5hYIBB7STKXAzNkQzhDzvMrJM4A
-oMABwK3Q948TDKFKIWu2yDJ9KAjBiEUEEBECAAYFAkY3M/4ACgkQIWclcBdP7jX7
-HwCcDWmGKUTkRA+GA3d81BW7lwRzSPgAmL2SVYU8VK+TpwLzUbWn2EGkBUWIRgQQ
-EQIABgUCRjZfwwAKCRCIAQlKKLyz45evAJ4qfetNIo1MWcqM8rA6OyN0vkFV/ACg
-8/5CZw4oLOHuq4+WIbbpHDiV37SIRgQQEQIABgUCRjZf2QAKCRCTsNWvqJf9Asix
-AJ9e3zbMLmBxi0dZng3MmiBF0ex6qgCcDWGwW16fPG+XN28ewH8k+WSoS0u5Ag0E
-RjVDKhAIAMPHsF7MCR/bgzmznXVXV1QuIDHR9NTAGqFiaGMBKK26rHSN8Wds3zPW
-R/MBvkCknn9MwW2a4B7Vrdz9RAg3cUYmSYbHBNDtCTV8b14fNAoc3nsjblgZ+/+0
-zDvR9ZNv3cUBaCqJ1hlZqZbOWi1XPTv2r2CRe2A6q9oGj54NmpSIO7EcH2yYcx0G
-TafY4ZDqZha3kmzLSq1gh2s5kph9NyB2pBu31pY3PDPKkxE6+ZAWb6oHZUaKOtr4
-aXnqLxYzSi6Wv3kS5xXS+ZbCv5lz/KlTTIlLRm86wvwRnqGqjBGH4knyB+VKtxlR
-/T+aRQxCMSIICYzpfvM+O8a+hH9Z+zMAAwYIAMFAqo9dmRfc7BPLhRxb9erSaEhx
-b05lwiDyzPP6B5hcK8t8S/L4k9HwOXoYfnR7/GqUjSj4dYZ5uLlTLOASMpv+5Yq4
-EmPhuqKWM7MAK0uQXVsxSktswNHEHb5c3H8VfQJvpUdelnJdSfqttKvz9Cm1rtPR
-KylIK/naQJlZ5XxuAcV+PDcWOHq6B2uV2aG5CGT2yVM9VjxIkMLBPGXxPjPIKKZk
-y1TTdOdQdGvSyNOu4gd0o+4i07IZSXBsHarFPTKGoAZ+YsKRJ3ODAKeKnYXIQQf/
-OmmHdkKOfRkVDogZyKHVhSNVEOZ4NyZwbjXc8FtKGOUYvXcpjuxqzqRckteISQQY
-EQIACQUCRjVDKgIbDAAKCRC1t3IAl7s7WNO0AJ0aws9mKLgL0CQKvAKs5UBmpgAT
-XQCfdqJCUVSEsRcihgP8VfOpPeXm0Vs=
-=yQ2U
+gh6Bx/TDBHYjADaYu2EZcwFI29kgwAfwAfyabB/hCfKHT12D5ohJBCARCgAJBQJU
+cueVAh0CAAoJELW3cgCXuztYfq0An07hWjCfb5DuCbWVYyF1Q/j56gBmAJ9x33CB
+dPq3IxPOiL3MdLh8tv1H07QcRW1kZWJpYW4gQXJjaGl2ZSBTaWduaW5nIEtleYhg
+BBMRAgAgBQJGNUMoAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQtbdyAJe7
+O1gTpgCgv5hYIBB7STKXAzNkQzhDzvMrJM4AoMABwK3Q948TDKFKIWu2yDJ9KAjB
+iEUEEBECAAYFAkY3M/4ACgkQIWclcBdP7jX7HwCcDWmGKUTkRA+GA3d81BW7lwRz
+SPgAmL2SVYU8VK+TpwLzUbWn2EGkBUWIRgQQEQIABgUCRjZfwwAKCRCIAQlKKLyz
+45evAJ4qfetNIo1MWcqM8rA6OyN0vkFV/ACg8/5CZw4oLOHuq4+WIbbpHDiV37SI
+RgQQEQIABgUCRjZf2QAKCRCTsNWvqJf9AsixAJ9e3zbMLmBxi0dZng3MmiBF0ex6
+qgCcDWGwW16fPG+XN28ewH8k+WSoS0u5Ag0ERjVDKhAIAMPHsF7MCR/bgzmznXVX
+V1QuIDHR9NTAGqFiaGMBKK26rHSN8Wds3zPWR/MBvkCknn9MwW2a4B7Vrdz9RAg3
+cUYmSYbHBNDtCTV8b14fNAoc3nsjblgZ+/+0zDvR9ZNv3cUBaCqJ1hlZqZbOWi1X
+PTv2r2CRe2A6q9oGj54NmpSIO7EcH2yYcx0GTafY4ZDqZha3kmzLSq1gh2s5kph9
+NyB2pBu31pY3PDPKkxE6+ZAWb6oHZUaKOtr4aXnqLxYzSi6Wv3kS5xXS+ZbCv5lz
+/KlTTIlLRm86wvwRnqGqjBGH4knyB+VKtxlR/T+aRQxCMSIICYzpfvM+O8a+hH9Z
++zMAAwYIAMFAqo9dmRfc7BPLhRxb9erSaEhxb05lwiDyzPP6B5hcK8t8S/L4k9Hw
+OXoYfnR7/GqUjSj4dYZ5uLlTLOASMpv+5Yq4EmPhuqKWM7MAK0uQXVsxSktswNHE
+Hb5c3H8VfQJvpUdelnJdSfqttKvz9Cm1rtPRKylIK/naQJlZ5XxuAcV+PDcWOHq6
+B2uV2aG5CGT2yVM9VjxIkMLBPGXxPjPIKKZky1TTdOdQdGvSyNOu4gd0o+4i07IZ
+SXBsHarFPTKGoAZ+YsKRJ3ODAKeKnYXIQQf/OmmHdkKOfRkVDogZyKHVhSNVEOZ4
+NyZwbjXc8FtKGOUYvXcpjuxqzqRckteISQQYEQIACQUCRjVDKgIbDAAKCRC1t3IA
+l7s7WNO0AJ0aws9mKLgL0CQKvAKs5UBmpgATXQCfdqJCUVSEsRcihgP8VfOpPeXm
+0Vs=
+=aGyf
 -----END PGP PUBLIC KEY BLOCK-----
diff -Nru emdebian-archive-keyring-2.0.3/debian/changelog emdebian-archive-keyring-2.0.4/debian/changelog
--- emdebian-archive-keyring-2.0.3/debian/changelog	2012-03-24 09:27:59.000000000 +0000
+++ emdebian-archive-keyring-2.0.4/debian/changelog	2014-11-27 09:25:43.000000000 +0000
@@ -1,3 +1,9 @@
+emdebian-archive-keyring (2.0.4) unstable; urgency=medium
+
+  * Revoke 0x97BB3B58 and disable the keyring. 
+
+ -- Neil Williams <codehelp@debian.org>  Thu, 27 Nov 2014 09:25:41 +0000
+
 emdebian-archive-keyring (2.0.3) unstable; urgency=low
 
   * Use working directory as GNUPG homedir and clean up the
diff -Nru emdebian-archive-keyring-2.0.3/debian/NEWS emdebian-archive-keyring-2.0.4/debian/NEWS
--- emdebian-archive-keyring-2.0.3/debian/NEWS	1970-01-01 01:00:00.000000000 +0100
+++ emdebian-archive-keyring-2.0.4/debian/NEWS	2014-11-27 09:33:22.000000000 +0000
@@ -0,0 +1,14 @@
+emdebian-archive-keyring (2.0.4) unstable; urgency=medium
+
+  The only key in this keyring has been revoked due to a
+  possible compromise on the server which was due for
+  replacement.
+  .
+  Emdebian Grip is no longer being updated and the toolchain
+  repository has not been updated since before the compromise
+  as work is ongoing for multiarch-compliant toolchains in
+  Debian.
+  .
+  There is no replacement key for this keyring.
+
+ -- Neil Williams <codehelp@debian.org>  Thu, 27 Nov 2014 09:27:56 +0000

--- End Message ---

--- Begin Message ---

• To: Cyril Brulebois <kibi@debian.org>, 771166-done@bugs.debian.org
• Cc: Neil Williams <codehelp@debian.org>
• Subject: Re: Bug#771166: (approval) unblock: emdebian-archive-keyring/2.0.4
• From: Niels Thykier <niels@thykier.net>
• Date: Thu, 27 Nov 2014 22:16:05 +0100
• Message-id: <54779495.4040703@thykier.net>
• In-reply-to: <[🔎] 20141127202600.GT6842@mraw.org>
• References: <[🔎] 20141127094720.32248.66330.reportbug@sylvester.codehelp> <[🔎] 547772A6.30703@thykier.net> <[🔎] 54778194.5060705@thykier.net> <[🔎] 20141127202600.GT6842@mraw.org>

On 2014-11-27 21:26, Cyril Brulebois wrote:
> Control: tag -1 confirmed
> 
> Niels Thykier <niels@thykier.net> (2014-11-27):
>>> Seems reasonable.  Please upload this to unstable and remove the
>>> "moreinfo" tag once it has been accepted into unstable.
>>>
>>> ~Niels
>>>
>>>
>>
>> Saw it uploaded; it just needs approval from d-i now. :)
>>
>> ~Niels
> 
> No objections.
> 
> Mraw,
> KiBi.
> 

Unblocked, thanks.

~Niels

--- End Message ---