[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#757534: marked as done (apt: use --require-valid-signature option to dpkg-source for "apt-get source" by default)



Your message dated Thu, 28 Aug 2014 01:03:55 +0000
with message-id <E1XMo83-0004V2-6r@franck.debian.org>
and subject line Bug#757534: fixed in apt 1.0.7
has caused the Debian Bug report #757534,
regarding apt: use --require-valid-signature option to dpkg-source for "apt-get source" by default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
757534: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757534
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
package: src:apt
severity: important
version: 1.0.6
tags: security

"apt-get source" currently shows messages about invalid signatures,
but goes on to extract the source anyway, and the error text is kind
of easy to miss as well.

A more secure default would be to use the --require-valid-signature
option to dpkg-source.

Note that changes here may lead to a lot of ftbfs bugs for packages
with bad sigs, but that's a good thing.  Those need a new sig anyway.

Example output for a package with an invalid signature (note easy to
miss gpgv messages):

$ apt-get source debian-archive-keyring
Reading package lists... Done
Building dependency tree
Reading state information... Done
Skipping already downloaded file 'debian-archive-keyring_2012.4.dsc'
Skipping already downloaded file 'debian-archive-keyring_2012.4.tar.gz'
Need to get 0 B of source archives.
gpgv: Signature made Sat 02 Jun 2012 11:59:09 AM EDT using DSA key ID B2CFCDD8
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on
./debian-archive-keyring_2012.4.dsc
dpkg-source: info: extracting debian-archive-keyring in
debian-archive-keyring-2012.4
dpkg-source: info: unpacking debian-archive-keyring_2012.4.tar.gz

--- End Message ---
--- Begin Message ---
Source: apt
Source-Version: 1.0.7

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 757534@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 27 Aug 2014 17:11:42 -0700
Source: apt
Binary: apt libapt-pkg4.12 libapt-inst1.5 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all amd64
Version: 1.0.7
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description:
 apt        - commandline package manager
 apt-doc    - documentation for APT
 apt-transport-https - https download transport for APT
 apt-utils  - package management related utility programs
 libapt-inst1.5 - deb package format runtime library
 libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - documentation for APT development
 libapt-pkg4.12 - package management runtime library
Closes: 754817 756056 756200 756710 757534 758153 758208 759099
Changes:
 apt (1.0.7) unstable; urgency=medium
 .
   [ Michael Vogt ]
   * add REAMDE.md
   * StringToBool: only act if the entire string is consumed by strtol()
   * Use @builddeps@ in the debian/tests/control file
   * apt-pkg/acquire-item.cc: make pkgAcqDiffIndex more uniform
   * Fix SmartConfigure to ignore ordering of packages that are already valid
   * doc/apt.8.xml: fix typo, thanks to Jakub Wilk (Closes: #756056)
   * doc/po/pt.po: updated, thanks to Américo Monteir (Closes: #756200)
 .
   [ victory ]
   * Update Japanese documentation translation (Closes: #754817)
 .
   [ Trần Ngọc Quân ]
   * l10n: vi.po (636t): Update one new string
 .
   [ Julian Andres Klode ]
   * Fix debListParser to accept "no" as a value for the Multi-Arch field
     (Closes: #759099)
 .
   [ Mert Dirik ]
   * Turkish program translation update (Closes: 756710)
 .
   [ Miroslav Kure ]
   * Czech program translation update (Closes: 758208)
 .
   [ David Kalnischkies ]
   * add dpkg::source-options for dpkg-source invocation (Closes: 757534)
   * support versioned provides as implemented by dpkg (Closes: 758153)
Checksums-Sha1:
 a7d6b7076dadeeea1620cfb94a568b3ca5107d92 1705 apt_1.0.7.dsc
 d9c6bc1eaa2486c8a0bdb1f84b7abba6c88c29a5 1822972 apt_1.0.7.tar.xz
 2c83b351dc0500e0d6b27b36c1a96a2aa448b978 300336 apt-doc_1.0.7_all.deb
 a2a8e9c2d5106b717d03ceaa88aba1c74bdafeab 773640 libapt-pkg-doc_1.0.7_all.deb
 3608cce531a6d627d4b955ca674e8455f3a39501 775774 libapt-pkg4.12_1.0.7_amd64.deb
 f1ef13879bb8d858cc1cb39cbbf3955eb9370a84 166150 libapt-inst1.5_1.0.7_amd64.deb
 5eb33d01a437b9e74a61a174b5d6c0f6b0374786 1085822 apt_1.0.7_amd64.deb
 9a155e285be4fdad7061cb2c49b330db222173ec 190126 libapt-pkg-dev_1.0.7_amd64.deb
 c2115b26fb9b80de1bb00caa697ebb14e4f6d43c 358144 apt-utils_1.0.7_amd64.deb
 5e9b6d1b7fa01cfa9fa0d09c308fa07fcb308e6e 132724 apt-transport-https_1.0.7_amd64.deb
Checksums-Sha256:
 c844a288a3a1ebe8632ae379ee9b82ef01b3581ba25b3090aae93ea6cfe48b3e 1705 apt_1.0.7.dsc
 eba0aa190160ce448d2657c3d6d498736d99006a945b16695ab7274ea85b3a3f 1822972 apt_1.0.7.tar.xz
 702a86631e300a32262113273b9c70627ca8d7b971aae25f85997b1ee117642f 300336 apt-doc_1.0.7_all.deb
 438d2cbc7c63d0911450accffcd278fbc3db04e49a7df8d035a2ab2d51cf3d00 773640 libapt-pkg-doc_1.0.7_all.deb
 fcb4dc691204c574d30f835f403e745b81c0283195446c7cd1722a8f78df428a 775774 libapt-pkg4.12_1.0.7_amd64.deb
 c4860b067874b43b4445178c6150851359782d23c470bce3401b0717793f4ffc 166150 libapt-inst1.5_1.0.7_amd64.deb
 1d44db79d607d0927a0af1145016fbe2ccf8b3bc49fb33432a86ee6097e87a04 1085822 apt_1.0.7_amd64.deb
 81b55a4749d75b2052f74db608732f9aee08e66fa56f94b5c27a72025318934a 190126 libapt-pkg-dev_1.0.7_amd64.deb
 ee0e7f01a83c7f782bb8e77353d231af85b3afc1e2f8c3fcf235080362eef3cc 358144 apt-utils_1.0.7_amd64.deb
 c462820106683217bd672550d46ca770331b18c66e81faa4c53e18f518883059 132724 apt-transport-https_1.0.7_amd64.deb
Files:
 6cde42b97e35548892c9d46b49f301c4 300336 doc optional apt-doc_1.0.7_all.deb
 98d99b034b0a24766c2b3402d3d6d69b 773640 doc optional libapt-pkg-doc_1.0.7_all.deb
 3d95c2ed9e177ce9adf986b5d98905e0 775774 libs important libapt-pkg4.12_1.0.7_amd64.deb
 6c675483e965fb0f31da817112731ce5 166150 libs important libapt-inst1.5_1.0.7_amd64.deb
 cfc6ed592c0b3746a45663545403e28f 1085822 admin important apt_1.0.7_amd64.deb
 b663d812edd9e213b49c9cd5b693a517 190126 libdevel optional libapt-pkg-dev_1.0.7_amd64.deb
 a307f6959d86b23c8468dec3872ba972 358144 admin important apt-utils_1.0.7_amd64.deb
 026f10bd98f3529526b4dfc71bab5341 132724 admin optional apt-transport-https_1.0.7_amd64.deb
 db39fbe567cf08383a8d0efec65625fe 1705 admin important apt_1.0.7.dsc
 3ace5f38ccf4f805212147ed46ef0576 1822972 admin important apt_1.0.7.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlP+fK4ACgkQliSD4VZixzQLEwCbBZ48GSs+qy9LbilU9Gev/iW5
3twAoKMA8xIspSrc1QC9ooLOwq+YBVMq
=+R2e
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: