Bug#796593: pu: package emdebian-archive-keyring/2.0.4
Control: tags -1 + moreinfo
On Sat, 2015-08-22 at 23:16 +0100, Wookey wrote:
> The emdebian-archive-keyring package in jessie contains the old key
> which was revoked when the emdebian server was compromised in November
> 2014.
Well, it contains a revoked copy of the key and no active keys, as per
#771166.
> A new server has since been set up and a new key used for the
> cross-toolchain/cross-building archive which is still hosted
> there. This is the recommended way to get cross-toolchains installed
> for jessie (for pre-built architectures):
> https://wiki.debian.org/CrossToolchains#For_jessie_.28Debian_8.29
>
> This is made much harder than it should be because manual key
> downloading and checking is needed due to this package (version 2.0.4)
> being essentially useless in jessie.
The timing was rather unfortunate.
> The 2.0.5 version in testing really should be in jessie too so that
> people would have a convenient authenticated route to using the jessie
> cross-toolchains archive.
>
> AIUI I do not need to do a new upload if the package containing just
> the necesary fix is already in unstable/testing. That is the case here.
No, you definitely need a new upload (most likely as 2.0.5~deb8u1).
> Attached is the diff for 2.0.4 -> 2.0.5
- -- Neil Williams <codehelp@debian.org> Thu, 27 Nov 2014 09:27:56 +0000
+Wookey, June 2015
NEWS.Debian is documented (as far as
https://www.debian.org/doc/manuals/developers-reference/ch06.en.html#bpp-news-debian counts) as using the same format as debian/changelog, including for trailers. I imagine the above will fail "dch --news" at least; I'm not sure about other tools such as apt-listchanges.
> (Note: I will be offline until 5th Sept - not sure what the schedule
> for the next stable release is)
It's scheduled for the 5th and the window for getting updates in to it
has already closed.
Regards,
Adam
Reply to: