[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#796593: marked as done (pu: package emdebian-archive-keyring/2.0.4)

Your message dated Sun, 21 Feb 2016 10:34:21 +0000
with message-id <20160221103421.GE6200@betterave.cristau.org>
and subject line Re: Bug#796593: pu: package emdebian-archive-keyring/2.0.4
has caused the Debian Bug report #796593,
regarding pu: package emdebian-archive-keyring/2.0.4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
796593: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796593
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

The emdebian-archive-keyring package in jessie contains the old key
which was revoked when the emdebian server was compromised in November
2014.

A new server has since been set up and a new key used for the
cross-toolchain/cross-building archive which is still hosted
there. This is the recommended way to get cross-toolchains installed
for jessie (for pre-built architectures): 
https://wiki.debian.org/CrossToolchains#For_jessie_.28Debian_8.29

This is made much harder than it should be because manual key
downloading and checking is needed due to this package (version 2.0.4)
being essentially useless in jessie.

The 2.0.5 version in testing really should be in jessie too so that
people would have a convenient authenticated route to using the jessie
cross-toolchains archive.

AIUI I do not need to do a new upload if the package containing just
the necesary fix is already in unstable/testing. That is the case here.

Attached is the diff for 2.0.4 -> 2.0.5

(Note: I will be offline until 5th Sept - not sure what the schedule
for the next stable release is)

-- System Information:
Debian Release: 7.8
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru emdebian-archive-keyring-2.0.4/0x97BB3B58.txt emdebian-archive-keyring-2.0.5/0x97BB3B58.txt
--- emdebian-archive-keyring-2.0.4/0x97BB3B58.txt	2014-11-27 09:26:06.000000000 +0000
+++ emdebian-archive-keyring-2.0.5/0x97BB3B58.txt	1970-01-01 01:00:00.000000000 +0100
@@ -1,36 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1
-
-mQGiBEY1QygRBACUM8ypZIqJu1O/jjmZJ2XmVHPUMygzcAOXfOsfLBaIz5UmYOCc
-22iFN5Milj4hEpgrVnyGgXZh1vA2xbxGZNdjMfge7z0Bvf93RM6gzVnU4EXWu4sW
-4nfyPH28/ChsA89mXFnS99zqsRfZNYjQdRCH4LByP7AnXojKU3gq1b4ydwCgzzBV
-izehffV2lW7LDv9NhMePhzMD/0mrIUPfCvp0wKXRSHuYaLZiuoI6gV4HrAxLqeo9
-+GXfBb6n6Fpl52fRGbBAtatZ9wDVJi8v7kFQTvX3vcYGYVKmjJBT2aOx7ZhYNXV2
-lncL6e8+b8gG8f+asV2JbdpZCR4KiDyko6VCWZswqpKytrgK+hK+ECS5Mre1Oy+Z
-RuaFBACJcxP4h4M0J1vY0wzlXUw81u+BNJkGanW57JIsP/mwvR4MqLfyi7tAmuPX
-L6/aWsLvLGYZlFJynZ+1mXXoRUevCGcEc9gK/dpTKVYLRsS0TtNXwaY4hwF7QpBb
-gh6Bx/TDBHYjADaYu2EZcwFI29kgwAfwAfyabB/hCfKHT12D5ohJBCARCgAJBQJU
-cueVAh0CAAoJELW3cgCXuztYfq0An07hWjCfb5DuCbWVYyF1Q/j56gBmAJ9x33CB
-dPq3IxPOiL3MdLh8tv1H07QcRW1kZWJpYW4gQXJjaGl2ZSBTaWduaW5nIEtleYhg
-BBMRAgAgBQJGNUMoAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQtbdyAJe7
-O1gTpgCgv5hYIBB7STKXAzNkQzhDzvMrJM4AoMABwK3Q948TDKFKIWu2yDJ9KAjB
-iEUEEBECAAYFAkY3M/4ACgkQIWclcBdP7jX7HwCcDWmGKUTkRA+GA3d81BW7lwRz
-SPgAmL2SVYU8VK+TpwLzUbWn2EGkBUWIRgQQEQIABgUCRjZfwwAKCRCIAQlKKLyz
-45evAJ4qfetNIo1MWcqM8rA6OyN0vkFV/ACg8/5CZw4oLOHuq4+WIbbpHDiV37SI
-RgQQEQIABgUCRjZf2QAKCRCTsNWvqJf9AsixAJ9e3zbMLmBxi0dZng3MmiBF0ex6
-qgCcDWGwW16fPG+XN28ewH8k+WSoS0u5Ag0ERjVDKhAIAMPHsF7MCR/bgzmznXVX
-V1QuIDHR9NTAGqFiaGMBKK26rHSN8Wds3zPWR/MBvkCknn9MwW2a4B7Vrdz9RAg3
-cUYmSYbHBNDtCTV8b14fNAoc3nsjblgZ+/+0zDvR9ZNv3cUBaCqJ1hlZqZbOWi1X
-PTv2r2CRe2A6q9oGj54NmpSIO7EcH2yYcx0GTafY4ZDqZha3kmzLSq1gh2s5kph9
-NyB2pBu31pY3PDPKkxE6+ZAWb6oHZUaKOtr4aXnqLxYzSi6Wv3kS5xXS+ZbCv5lz
-/KlTTIlLRm86wvwRnqGqjBGH4knyB+VKtxlR/T+aRQxCMSIICYzpfvM+O8a+hH9Z
-+zMAAwYIAMFAqo9dmRfc7BPLhRxb9erSaEhxb05lwiDyzPP6B5hcK8t8S/L4k9Hw
-OXoYfnR7/GqUjSj4dYZ5uLlTLOASMpv+5Yq4EmPhuqKWM7MAK0uQXVsxSktswNHE
-Hb5c3H8VfQJvpUdelnJdSfqttKvz9Cm1rtPRKylIK/naQJlZ5XxuAcV+PDcWOHq6
-B2uV2aG5CGT2yVM9VjxIkMLBPGXxPjPIKKZky1TTdOdQdGvSyNOu4gd0o+4i07IZ
-SXBsHarFPTKGoAZ+YsKRJ3ODAKeKnYXIQQf/OmmHdkKOfRkVDogZyKHVhSNVEOZ4
-NyZwbjXc8FtKGOUYvXcpjuxqzqRckteISQQYEQIACQUCRjVDKgIbDAAKCRC1t3IA
-l7s7WNO0AJ0aws9mKLgL0CQKvAKs5UBmpgATXQCfdqJCUVSEsRcihgP8VfOpPeXm
-0Vs=
-=aGyf
------END PGP PUBLIC KEY BLOCK-----
diff -Nru emdebian-archive-keyring-2.0.4/1804772E.txt emdebian-archive-keyring-2.0.5/1804772E.txt
--- emdebian-archive-keyring-2.0.4/1804772E.txt	1970-01-01 01:00:00.000000000 +0100
+++ emdebian-archive-keyring-2.0.5/1804772E.txt	2015-07-15 17:51:31.000000000 +0100
@@ -0,0 +1,41 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+mQINBFRzvWoBEADS5HZrevpar6R5w0eirYqZc4LfqN4L1aR96HaUu7o9py62IbKC
+v+27YD9vD7x1G04AfCru9qxGdHtvaRefdgvS3ek4cKe7R90g0MY+kccmmHYdIIRO
+2LE+0lG7PiaKorn0QbeJfQzTzwEAG6agG0kVHODOTI5z/OeTCNK42VJreA2O2Hjn
+PrWflf4vqI7L7sc1R54tYjNMiEtNdhxxz+iMMfz5JQWuYva3+kr3cMsKoumi7MjM
+doLEGjewXevn4vr1lfSc0RIje7wnmRxSn6Us4b34udfZJdm/fnP+JwztZpxRboA0
+S7WbhKYacyJBQEciXTuJqP6Q8xVrZlgMx8jslqAJssDfot6wc9ZqCx297oOJU4EH
+de+OcXWSNGmEhzJgJGhccwe3BB+LM+IU/INDStXf4H7ymSOfrrBzJ32Lsj993Nsq
+/wbyX0tXxrDG//2+xJ+d3FdCb22vdI9gxQTgnqZcw8hZqeWQirl4h6dWMVo1gX66
+Br+B2tv5fBCvTRPHtApO8a+oEX0PVx4VyhyVNh2Zvqs/YeXej+t2Skm0Aie/wc7I
+mwhNpzK7fI9RYslesK7pjiOV8tTysrt1YaMnfY4KPL3YAcklIRVoRGVVrUtJvG4o
+H5AyIjpWsnN9w2v+e/h4r4ERwzUBBmenNrWw2iOZwiLkr9cB8cIg6GBwJQARAQAB
+tChFbWRlYmlhbiBUb29sY2hhaW4gQXJjaGl2ZSAoc2lnbmluZyBrZXkpiQI4BBMB
+AgAiBQJUc71qAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRB94IlnGAR3
+LhI7D/9Capaozbpe/TG7bquQzv4vgYU08ZJC5sCDwb76T2FrEJYNUENprECGCdrC
+MbyEgctWBTUQAlwUpOjhX3pq7PGWpxeByWp3erVt/1Xl920/9fs6n6N/dy1l4NH1
+AoUmf3bKEMYEIN4NCElvgOM71q1W/J8wgvzdYcgMSOoML0ZXrlnJJZ2jToLN1VvN
+tV8uFlbh05SLXeBAhhXDweWfLRPIqPkEAWbkXMrxjmzGnYT8tVLpxxuqL7Fap7PS
+FEvdSFWdKSkSUH7yhp+Z+zgHwAkns9041Ad0ZjIc3UajC7B8/STkOxpJkX/ecIPB
+dzmOeSc+byPhPVRiDuwljmlSLVNQFVzPQr8oU/+jRgKQLt7q8R2+GqasgEgpXe6D
+SjI3n6EOixffN+lATt7UWN5UaX94NzK2fvjnIo7t4kINGFbrsrksk8DnUgBHLJ41
+UVVwiAbYXjUEycS/9lsq44SJq8MEdPNijGYvhW9XDaBWmnClkbd0o0ot9lo2pZ4N
+eRhM/6Yv1/0GpogYsM5sqdPdaBgYzYhHKt+t5RZ6lXV2rKZxxomtzUWioMlgW+XO
+IC7ynzeQYvEm6U73OPPmTZZTynvuDLCGXozDhEwhEisSNtSaXu9Ec8pvwToADrzM
+ob0PyRkGq4opOIqN/3FTVrAzJvvB7GNBFFR1G+xY/jum1bEHAYkCHAQQAQgABgUC
+VKdC9QAKCRD7hjJRqG+eR0HyD/9Q5kllJUBDagL9pLJpSnAB3z1IpU5j8p3NdBJo
+Uffrk3DbPDReQJJCDGl7dr0AAp9p2qSvjzgislabbL52kfZsEom+3iK0N2yxz33A
+jZ0iWndNnoJZqPqy6reozZLZ6qTFxUyffW+5Rh+eM5tVVth1S0uWTAcA5vgRB1MN
+JBhuMAARR3cFbMPqIYWzxZLOGy9Vs+JY/iNdKlbDOPdCFxMVcwMdUpJkM401YM/m
+8mmRyjkHD1WX+CKANe28yez8JFHIjMRGMbe1/fUEVqRiy0cZVkJ5XJyC+ETMeKp3
+7PRuF3ggB3zuFhG4iw8plP4yxrLb4IkDMlqW8LRtRAIki4Z3o2Lt/FnqipE91+IE
+aLghMFcevfS0KMB+khMpwm53G+n9hmuaJSA+AZ0qw87hFWEFM6tNjjsy8W2FoCTs
+ZlCyB2J0g2Nsp+EYL+NFcJJpb6SS6RHtIpBZBWR6x427krm2MbpQBep8C7Hypcor
+6b6mz9QNB95lP0Wde0hYK4glHC95jIq0kaKpNFDvjU9HOObz7vaWqjwjSxtICFVW
+fpV84F50A5izSS0Ma50b06edB2CO/phWQBedkYewLxfta5oMtWVjQxFLmHHsEvMy
+U1BdLoccdwhhRkZjs+QyB5UIxDoLe/+omO0t6bifrYHhEfkxvBoYmKuJqRZFOueX
+V2JyGQ==
+=q84g
+-----END PGP PUBLIC KEY BLOCK-----
diff -Nru emdebian-archive-keyring-2.0.4/debian/changelog emdebian-archive-keyring-2.0.5/debian/changelog
--- emdebian-archive-keyring-2.0.4/debian/changelog	2014-11-27 09:25:43.000000000 +0000
+++ emdebian-archive-keyring-2.0.5/debian/changelog	2015-07-15 18:01:09.000000000 +0100
@@ -1,3 +1,9 @@
+emdebian-archive-keyring (2.0.5) unstable; urgency=medium
+
+  * Resurrect with new emdebian toolchain archive key (1804772E)
+
+ -- Wookey <wookey@debian.org>  Wed, 15 Jul 2015 17:56:35 +0100
+
 emdebian-archive-keyring (2.0.4) unstable; urgency=medium
 
   * Revoke 0x97BB3B58 and disable the keyring. 
diff -Nru emdebian-archive-keyring-2.0.4/debian/control emdebian-archive-keyring-2.0.5/debian/control
--- emdebian-archive-keyring-2.0.4/debian/control	2012-03-24 09:35:31.000000000 +0000
+++ emdebian-archive-keyring-2.0.5/debian/control	2015-07-16 14:44:04.000000000 +0100
@@ -16,8 +16,8 @@
 Depends: ${misc:Depends}, apt, gnupg
 Description: GnuPG archive keys for the emdebian repository
  Emdebian digitally signs its Release files. This package
- contains the archive key used by both Emdebian Crush and
- Emdebian Grip.
+ contains the archive key used for Emdebian repositories 
+ since 2015.
  .
  The key is also available via the Emdebian website and as
  a udeb for debian-installer support.
diff -Nru emdebian-archive-keyring-2.0.4/debian/emdebian-archive-keyring.install emdebian-archive-keyring-2.0.5/debian/emdebian-archive-keyring.install
--- emdebian-archive-keyring-2.0.4/debian/emdebian-archive-keyring.install	2011-03-27 07:14:09.000000000 +0100
+++ emdebian-archive-keyring-2.0.5/debian/emdebian-archive-keyring.install	2015-07-16 14:00:45.000000000 +0100
@@ -1,2 +1,2 @@
-0x97BB3B58.txt ./usr/share/emdebian-tools/
+1804772E.txt ./usr/share/emdebian-tools/
 emdebian-archive-keyring.gpg ./usr/share/emdebian-tools/
diff -Nru emdebian-archive-keyring-2.0.4/debian/NEWS emdebian-archive-keyring-2.0.5/debian/NEWS
--- emdebian-archive-keyring-2.0.4/debian/NEWS	2014-11-27 09:33:22.000000000 +0000
+++ emdebian-archive-keyring-2.0.5/debian/NEWS	2015-07-16 14:24:45.000000000 +0100
@@ -1,14 +1,12 @@
-emdebian-archive-keyring (2.0.4) unstable; urgency=medium
+emdebian-archive-keyring (2.0.5) unstable; urgency=medium
 
-  The only key in this keyring has been revoked due to a
-  possible compromise on the server which was due for
-  replacement.
-  .
-  Emdebian Grip is no longer being updated and the toolchain
-  repository has not been updated since before the compromise
-  as work is ongoing for multiarch-compliant toolchains in
-  Debian.
-  .
-  There is no replacement key for this keyring.
+  This keyring contains a new (2015) key (4096R/1804772E) 
+  for the emdebian archive. This is primarily for use with 
+  the toolchain repositories, as Emdebian Grip is no longer 
+  being updated.
+  
+  The previous key (1024D/97BB3B58) was revoked due to a
+  possible compromise on the old server. There is now a new 
+  server.
 
- -- Neil Williams <codehelp@debian.org>  Thu, 27 Nov 2014 09:27:56 +0000
+Wookey, June 2015
\ No newline at end of file
diff -Nru emdebian-archive-keyring-2.0.4/Makefile emdebian-archive-keyring-2.0.5/Makefile
--- emdebian-archive-keyring-2.0.4/Makefile	2012-03-24 09:25:34.000000000 +0000
+++ emdebian-archive-keyring-2.0.5/Makefile	2015-07-15 17:52:23.000000000 +0100
@@ -1,7 +1,7 @@
 
 all:
 	gpg --no-permission-warning -q --homedir . --no-default-keyring \
-	--keyring ./emdebian-archive-keyring.gpg --import 0x97BB3B58.txt
+	--keyring ./emdebian-archive-keyring.gpg --import 1804772E.txt
 	$(RM) emdebian-archive-keyring.gpg~ secring.gpg trustdb.gpg
 
 install:

--- End Message ---
--- Begin Message --- 
On Wed, Sep  9, 2015 at 15:42:31 +0100, Wookey wrote:

> +++ Adam D. Barratt [2015-08-31 21:17 +0100]:
> > Control: tags -1 + moreinfo
> > 
> > On Sat, 2015-08-22 at 23:16 +0100, Wookey wrote:
> > > The emdebian-archive-keyring package in jessie contains the old key
> > > which was revoked when the emdebian server was compromised in November
> > > 2014.
> > 
> > Well, it contains a revoked copy of the key and no active keys, as per
> > #771166.
> 
> Right.
> 
> > > The 2.0.5 version in testing really should be in jessie too so that
> > > people would have a convenient authenticated route to using the jessie
> > > cross-toolchains archive.
> > > 
> > > AIUI I do not need to do a new upload if the package containing just
> > > the necesary fix is already in unstable/testing. That is the case here.
> > 
> > No, you definitely need a new upload (most likely as 2.0.5~deb8u1).
> 
> OK. I'll do that then. I should have got hold of you at debconf to
> sort this then it would have been done in time for 8.2. But, you know,
> so many distractions.
> 
> > > Attached is the diff for 2.0.4 -> 2.0.5
> > 
> > - -- Neil Williams <codehelp@debian.org>  Thu, 27 Nov 2014 09:27:56 +0000
> > +Wookey, June 2015
> > 
> > NEWS.Debian is documented (as far as
> 
> > https://www.debian.org/doc/manuals/developers-reference/ch06.en.html#bpp-news-debian
> > counts) as using the same format as debian/changelog, including for
> > trailers. I imagine the above will fail "dch --news" at least; I'm not
> > sure about other tools such as apt-listchanges.
> 
> OK. Thanks for pointing that out. learn something every day...
> 
> > > (Note: I will be offline until 5th Sept - not sure what the schedule
> > > for the next stable release is)
> > 
> > It's scheduled for the 5th and the window for getting updates in to it
> > has already closed.
> 
> Right, so this missed, which is sad, but I guess people will live.
> I'll do a new upload as directed and update this bug. 
> 
That doesn't seem to be happening; closing.

Cheers,
Julien

--- End Message ---
Reply to: