--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: pu: package emdebian-archive-keyring/2.0.4
- From: Wookey <wookey@wookware.org>
- Date: Sat, 22 Aug 2015 23:16:32 +0100
- Message-id: <20150822221632.15212.92295.reportbug@cheddar.halon.org.uk>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
The emdebian-archive-keyring package in jessie contains the old key
which was revoked when the emdebian server was compromised in November
2014.
A new server has since been set up and a new key used for the
cross-toolchain/cross-building archive which is still hosted
there. This is the recommended way to get cross-toolchains installed
for jessie (for pre-built architectures):
https://wiki.debian.org/CrossToolchains#For_jessie_.28Debian_8.29
This is made much harder than it should be because manual key
downloading and checking is needed due to this package (version 2.0.4)
being essentially useless in jessie.
The 2.0.5 version in testing really should be in jessie too so that
people would have a convenient authenticated route to using the jessie
cross-toolchains archive.
AIUI I do not need to do a new upload if the package containing just
the necesary fix is already in unstable/testing. That is the case here.
Attached is the diff for 2.0.4 -> 2.0.5
(Note: I will be offline until 5th Sept - not sure what the schedule
for the next stable release is)
-- System Information:
Debian Release: 7.8
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru emdebian-archive-keyring-2.0.4/0x97BB3B58.txt emdebian-archive-keyring-2.0.5/0x97BB3B58.txt
--- emdebian-archive-keyring-2.0.4/0x97BB3B58.txt 2014-11-27 09:26:06.000000000 +0000
+++ emdebian-archive-keyring-2.0.5/0x97BB3B58.txt 1970-01-01 01:00:00.000000000 +0100
@@ -1,36 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1
-
-mQGiBEY1QygRBACUM8ypZIqJu1O/jjmZJ2XmVHPUMygzcAOXfOsfLBaIz5UmYOCc
-22iFN5Milj4hEpgrVnyGgXZh1vA2xbxGZNdjMfge7z0Bvf93RM6gzVnU4EXWu4sW
-4nfyPH28/ChsA89mXFnS99zqsRfZNYjQdRCH4LByP7AnXojKU3gq1b4ydwCgzzBV
-izehffV2lW7LDv9NhMePhzMD/0mrIUPfCvp0wKXRSHuYaLZiuoI6gV4HrAxLqeo9
-+GXfBb6n6Fpl52fRGbBAtatZ9wDVJi8v7kFQTvX3vcYGYVKmjJBT2aOx7ZhYNXV2
-lncL6e8+b8gG8f+asV2JbdpZCR4KiDyko6VCWZswqpKytrgK+hK+ECS5Mre1Oy+Z
-RuaFBACJcxP4h4M0J1vY0wzlXUw81u+BNJkGanW57JIsP/mwvR4MqLfyi7tAmuPX
-L6/aWsLvLGYZlFJynZ+1mXXoRUevCGcEc9gK/dpTKVYLRsS0TtNXwaY4hwF7QpBb
-gh6Bx/TDBHYjADaYu2EZcwFI29kgwAfwAfyabB/hCfKHT12D5ohJBCARCgAJBQJU
-cueVAh0CAAoJELW3cgCXuztYfq0An07hWjCfb5DuCbWVYyF1Q/j56gBmAJ9x33CB
-dPq3IxPOiL3MdLh8tv1H07QcRW1kZWJpYW4gQXJjaGl2ZSBTaWduaW5nIEtleYhg
-BBMRAgAgBQJGNUMoAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQtbdyAJe7
-O1gTpgCgv5hYIBB7STKXAzNkQzhDzvMrJM4AoMABwK3Q948TDKFKIWu2yDJ9KAjB
-iEUEEBECAAYFAkY3M/4ACgkQIWclcBdP7jX7HwCcDWmGKUTkRA+GA3d81BW7lwRz
-SPgAmL2SVYU8VK+TpwLzUbWn2EGkBUWIRgQQEQIABgUCRjZfwwAKCRCIAQlKKLyz
-45evAJ4qfetNIo1MWcqM8rA6OyN0vkFV/ACg8/5CZw4oLOHuq4+WIbbpHDiV37SI
-RgQQEQIABgUCRjZf2QAKCRCTsNWvqJf9AsixAJ9e3zbMLmBxi0dZng3MmiBF0ex6
-qgCcDWGwW16fPG+XN28ewH8k+WSoS0u5Ag0ERjVDKhAIAMPHsF7MCR/bgzmznXVX
-V1QuIDHR9NTAGqFiaGMBKK26rHSN8Wds3zPWR/MBvkCknn9MwW2a4B7Vrdz9RAg3
-cUYmSYbHBNDtCTV8b14fNAoc3nsjblgZ+/+0zDvR9ZNv3cUBaCqJ1hlZqZbOWi1X
-PTv2r2CRe2A6q9oGj54NmpSIO7EcH2yYcx0GTafY4ZDqZha3kmzLSq1gh2s5kph9
-NyB2pBu31pY3PDPKkxE6+ZAWb6oHZUaKOtr4aXnqLxYzSi6Wv3kS5xXS+ZbCv5lz
-/KlTTIlLRm86wvwRnqGqjBGH4knyB+VKtxlR/T+aRQxCMSIICYzpfvM+O8a+hH9Z
-+zMAAwYIAMFAqo9dmRfc7BPLhRxb9erSaEhxb05lwiDyzPP6B5hcK8t8S/L4k9Hw
-OXoYfnR7/GqUjSj4dYZ5uLlTLOASMpv+5Yq4EmPhuqKWM7MAK0uQXVsxSktswNHE
-Hb5c3H8VfQJvpUdelnJdSfqttKvz9Cm1rtPRKylIK/naQJlZ5XxuAcV+PDcWOHq6
-B2uV2aG5CGT2yVM9VjxIkMLBPGXxPjPIKKZky1TTdOdQdGvSyNOu4gd0o+4i07IZ
-SXBsHarFPTKGoAZ+YsKRJ3ODAKeKnYXIQQf/OmmHdkKOfRkVDogZyKHVhSNVEOZ4
-NyZwbjXc8FtKGOUYvXcpjuxqzqRckteISQQYEQIACQUCRjVDKgIbDAAKCRC1t3IA
-l7s7WNO0AJ0aws9mKLgL0CQKvAKs5UBmpgATXQCfdqJCUVSEsRcihgP8VfOpPeXm
-0Vs=
-=aGyf
------END PGP PUBLIC KEY BLOCK-----
diff -Nru emdebian-archive-keyring-2.0.4/1804772E.txt emdebian-archive-keyring-2.0.5/1804772E.txt
--- emdebian-archive-keyring-2.0.4/1804772E.txt 1970-01-01 01:00:00.000000000 +0100
+++ emdebian-archive-keyring-2.0.5/1804772E.txt 2015-07-15 17:51:31.000000000 +0100
@@ -0,0 +1,41 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+mQINBFRzvWoBEADS5HZrevpar6R5w0eirYqZc4LfqN4L1aR96HaUu7o9py62IbKC
+v+27YD9vD7x1G04AfCru9qxGdHtvaRefdgvS3ek4cKe7R90g0MY+kccmmHYdIIRO
+2LE+0lG7PiaKorn0QbeJfQzTzwEAG6agG0kVHODOTI5z/OeTCNK42VJreA2O2Hjn
+PrWflf4vqI7L7sc1R54tYjNMiEtNdhxxz+iMMfz5JQWuYva3+kr3cMsKoumi7MjM
+doLEGjewXevn4vr1lfSc0RIje7wnmRxSn6Us4b34udfZJdm/fnP+JwztZpxRboA0
+S7WbhKYacyJBQEciXTuJqP6Q8xVrZlgMx8jslqAJssDfot6wc9ZqCx297oOJU4EH
+de+OcXWSNGmEhzJgJGhccwe3BB+LM+IU/INDStXf4H7ymSOfrrBzJ32Lsj993Nsq
+/wbyX0tXxrDG//2+xJ+d3FdCb22vdI9gxQTgnqZcw8hZqeWQirl4h6dWMVo1gX66
+Br+B2tv5fBCvTRPHtApO8a+oEX0PVx4VyhyVNh2Zvqs/YeXej+t2Skm0Aie/wc7I
+mwhNpzK7fI9RYslesK7pjiOV8tTysrt1YaMnfY4KPL3YAcklIRVoRGVVrUtJvG4o
+H5AyIjpWsnN9w2v+e/h4r4ERwzUBBmenNrWw2iOZwiLkr9cB8cIg6GBwJQARAQAB
+tChFbWRlYmlhbiBUb29sY2hhaW4gQXJjaGl2ZSAoc2lnbmluZyBrZXkpiQI4BBMB
+AgAiBQJUc71qAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRB94IlnGAR3
+LhI7D/9Capaozbpe/TG7bquQzv4vgYU08ZJC5sCDwb76T2FrEJYNUENprECGCdrC
+MbyEgctWBTUQAlwUpOjhX3pq7PGWpxeByWp3erVt/1Xl920/9fs6n6N/dy1l4NH1
+AoUmf3bKEMYEIN4NCElvgOM71q1W/J8wgvzdYcgMSOoML0ZXrlnJJZ2jToLN1VvN
+tV8uFlbh05SLXeBAhhXDweWfLRPIqPkEAWbkXMrxjmzGnYT8tVLpxxuqL7Fap7PS
+FEvdSFWdKSkSUH7yhp+Z+zgHwAkns9041Ad0ZjIc3UajC7B8/STkOxpJkX/ecIPB
+dzmOeSc+byPhPVRiDuwljmlSLVNQFVzPQr8oU/+jRgKQLt7q8R2+GqasgEgpXe6D
+SjI3n6EOixffN+lATt7UWN5UaX94NzK2fvjnIo7t4kINGFbrsrksk8DnUgBHLJ41
+UVVwiAbYXjUEycS/9lsq44SJq8MEdPNijGYvhW9XDaBWmnClkbd0o0ot9lo2pZ4N
+eRhM/6Yv1/0GpogYsM5sqdPdaBgYzYhHKt+t5RZ6lXV2rKZxxomtzUWioMlgW+XO
+IC7ynzeQYvEm6U73OPPmTZZTynvuDLCGXozDhEwhEisSNtSaXu9Ec8pvwToADrzM
+ob0PyRkGq4opOIqN/3FTVrAzJvvB7GNBFFR1G+xY/jum1bEHAYkCHAQQAQgABgUC
+VKdC9QAKCRD7hjJRqG+eR0HyD/9Q5kllJUBDagL9pLJpSnAB3z1IpU5j8p3NdBJo
+Uffrk3DbPDReQJJCDGl7dr0AAp9p2qSvjzgislabbL52kfZsEom+3iK0N2yxz33A
+jZ0iWndNnoJZqPqy6reozZLZ6qTFxUyffW+5Rh+eM5tVVth1S0uWTAcA5vgRB1MN
+JBhuMAARR3cFbMPqIYWzxZLOGy9Vs+JY/iNdKlbDOPdCFxMVcwMdUpJkM401YM/m
+8mmRyjkHD1WX+CKANe28yez8JFHIjMRGMbe1/fUEVqRiy0cZVkJ5XJyC+ETMeKp3
+7PRuF3ggB3zuFhG4iw8plP4yxrLb4IkDMlqW8LRtRAIki4Z3o2Lt/FnqipE91+IE
+aLghMFcevfS0KMB+khMpwm53G+n9hmuaJSA+AZ0qw87hFWEFM6tNjjsy8W2FoCTs
+ZlCyB2J0g2Nsp+EYL+NFcJJpb6SS6RHtIpBZBWR6x427krm2MbpQBep8C7Hypcor
+6b6mz9QNB95lP0Wde0hYK4glHC95jIq0kaKpNFDvjU9HOObz7vaWqjwjSxtICFVW
+fpV84F50A5izSS0Ma50b06edB2CO/phWQBedkYewLxfta5oMtWVjQxFLmHHsEvMy
+U1BdLoccdwhhRkZjs+QyB5UIxDoLe/+omO0t6bifrYHhEfkxvBoYmKuJqRZFOueX
+V2JyGQ==
+=q84g
+-----END PGP PUBLIC KEY BLOCK-----
diff -Nru emdebian-archive-keyring-2.0.4/debian/changelog emdebian-archive-keyring-2.0.5/debian/changelog
--- emdebian-archive-keyring-2.0.4/debian/changelog 2014-11-27 09:25:43.000000000 +0000
+++ emdebian-archive-keyring-2.0.5/debian/changelog 2015-07-15 18:01:09.000000000 +0100
@@ -1,3 +1,9 @@
+emdebian-archive-keyring (2.0.5) unstable; urgency=medium
+
+ * Resurrect with new emdebian toolchain archive key (1804772E)
+
+ -- Wookey <wookey@debian.org> Wed, 15 Jul 2015 17:56:35 +0100
+
emdebian-archive-keyring (2.0.4) unstable; urgency=medium
* Revoke 0x97BB3B58 and disable the keyring.
diff -Nru emdebian-archive-keyring-2.0.4/debian/control emdebian-archive-keyring-2.0.5/debian/control
--- emdebian-archive-keyring-2.0.4/debian/control 2012-03-24 09:35:31.000000000 +0000
+++ emdebian-archive-keyring-2.0.5/debian/control 2015-07-16 14:44:04.000000000 +0100
@@ -16,8 +16,8 @@
Depends: ${misc:Depends}, apt, gnupg
Description: GnuPG archive keys for the emdebian repository
Emdebian digitally signs its Release files. This package
- contains the archive key used by both Emdebian Crush and
- Emdebian Grip.
+ contains the archive key used for Emdebian repositories
+ since 2015.
.
The key is also available via the Emdebian website and as
a udeb for debian-installer support.
diff -Nru emdebian-archive-keyring-2.0.4/debian/emdebian-archive-keyring.install emdebian-archive-keyring-2.0.5/debian/emdebian-archive-keyring.install
--- emdebian-archive-keyring-2.0.4/debian/emdebian-archive-keyring.install 2011-03-27 07:14:09.000000000 +0100
+++ emdebian-archive-keyring-2.0.5/debian/emdebian-archive-keyring.install 2015-07-16 14:00:45.000000000 +0100
@@ -1,2 +1,2 @@
-0x97BB3B58.txt ./usr/share/emdebian-tools/
+1804772E.txt ./usr/share/emdebian-tools/
emdebian-archive-keyring.gpg ./usr/share/emdebian-tools/
diff -Nru emdebian-archive-keyring-2.0.4/debian/NEWS emdebian-archive-keyring-2.0.5/debian/NEWS
--- emdebian-archive-keyring-2.0.4/debian/NEWS 2014-11-27 09:33:22.000000000 +0000
+++ emdebian-archive-keyring-2.0.5/debian/NEWS 2015-07-16 14:24:45.000000000 +0100
@@ -1,14 +1,12 @@
-emdebian-archive-keyring (2.0.4) unstable; urgency=medium
+emdebian-archive-keyring (2.0.5) unstable; urgency=medium
- The only key in this keyring has been revoked due to a
- possible compromise on the server which was due for
- replacement.
- .
- Emdebian Grip is no longer being updated and the toolchain
- repository has not been updated since before the compromise
- as work is ongoing for multiarch-compliant toolchains in
- Debian.
- .
- There is no replacement key for this keyring.
+ This keyring contains a new (2015) key (4096R/1804772E)
+ for the emdebian archive. This is primarily for use with
+ the toolchain repositories, as Emdebian Grip is no longer
+ being updated.
+
+ The previous key (1024D/97BB3B58) was revoked due to a
+ possible compromise on the old server. There is now a new
+ server.
- -- Neil Williams <codehelp@debian.org> Thu, 27 Nov 2014 09:27:56 +0000
+Wookey, June 2015
\ No newline at end of file
diff -Nru emdebian-archive-keyring-2.0.4/Makefile emdebian-archive-keyring-2.0.5/Makefile
--- emdebian-archive-keyring-2.0.4/Makefile 2012-03-24 09:25:34.000000000 +0000
+++ emdebian-archive-keyring-2.0.5/Makefile 2015-07-15 17:52:23.000000000 +0100
@@ -1,7 +1,7 @@
all:
gpg --no-permission-warning -q --homedir . --no-default-keyring \
- --keyring ./emdebian-archive-keyring.gpg --import 0x97BB3B58.txt
+ --keyring ./emdebian-archive-keyring.gpg --import 1804772E.txt
$(RM) emdebian-archive-keyring.gpg~ secring.gpg trustdb.gpg
install:
--- End Message ---
--- Begin Message ---
- To: Wookey <wookey@wookware.org>, 796593-done@bugs.debian.org
- Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Subject: Re: Bug#796593: pu: package emdebian-archive-keyring/2.0.4
- From: Julien Cristau <jcristau@debian.org>
- Date: Sun, 21 Feb 2016 10:34:21 +0000
- Message-id: <20160221103421.GE6200@betterave.cristau.org>
- In-reply-to: <20150909144230.GZ1661@halon.org.uk>
- References: <20150822221632.15212.92295.reportbug@cheddar.halon.org.uk> <1441052276.1854.42.camel@adam-barratt.org.uk> <20150909144230.GZ1661@halon.org.uk>
On Wed, Sep 9, 2015 at 15:42:31 +0100, Wookey wrote:
> +++ Adam D. Barratt [2015-08-31 21:17 +0100]:
> > Control: tags -1 + moreinfo
> >
> > On Sat, 2015-08-22 at 23:16 +0100, Wookey wrote:
> > > The emdebian-archive-keyring package in jessie contains the old key
> > > which was revoked when the emdebian server was compromised in November
> > > 2014.
> >
> > Well, it contains a revoked copy of the key and no active keys, as per
> > #771166.
>
> Right.
>
> > > The 2.0.5 version in testing really should be in jessie too so that
> > > people would have a convenient authenticated route to using the jessie
> > > cross-toolchains archive.
> > >
> > > AIUI I do not need to do a new upload if the package containing just
> > > the necesary fix is already in unstable/testing. That is the case here.
> >
> > No, you definitely need a new upload (most likely as 2.0.5~deb8u1).
>
> OK. I'll do that then. I should have got hold of you at debconf to
> sort this then it would have been done in time for 8.2. But, you know,
> so many distractions.
>
> > > Attached is the diff for 2.0.4 -> 2.0.5
> >
> > - -- Neil Williams <codehelp@debian.org> Thu, 27 Nov 2014 09:27:56 +0000
> > +Wookey, June 2015
> >
> > NEWS.Debian is documented (as far as
>
> > https://www.debian.org/doc/manuals/developers-reference/ch06.en.html#bpp-news-debian
> > counts) as using the same format as debian/changelog, including for
> > trailers. I imagine the above will fail "dch --news" at least; I'm not
> > sure about other tools such as apt-listchanges.
>
> OK. Thanks for pointing that out. learn something every day...
>
> > > (Note: I will be offline until 5th Sept - not sure what the schedule
> > > for the next stable release is)
> >
> > It's scheduled for the 5th and the window for getting updates in to it
> > has already closed.
>
> Right, so this missed, which is sad, but I guess people will live.
> I'll do a new upload as directed and update this bug.
>
That doesn't seem to be happening; closing.
Cheers,
Julien
--- End Message ---