[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bug#882581: libidn2: debian/upstream/signing-key.asc is 15M and contains
|
From: |
Tim Rühsen |
|
Subject: |
Bug#882581: libidn2: debian/upstream/signing-key.asc is 15M and contains unrelated public keys |
|
Date: |
Fri, 24 Nov 2017 10:08:41 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 |
On 11/24/2017 09:40 AM, Simon McVittie wrote:
> Source: libidn2
> Version: 2.0.4-1.1
> Severity: normal
>
> libidn2 contains both debian/upstream-signing-key.pgp and
> debian/upstream/signing-key.asc, which appears to have been a mistake.
> debian/upstream/signing-key.asc also appears to have unintended content.
>
> debian/upstream-signing-key.pgp is 72K, which seems plausible for a public
> key (although the filename debian/upstream/signing-key.asc is preferred,
> and uscan(1) recommends using gpg --export --export-options export-minimal
> --armor to include only the public key, user IDs and self-signatures, and
> not signatures by other people, to reduce the size further). It has two user
> IDs:
>
> % gpg --list-packets libidn2_2.0.4-1.1.debian/upstream-signing-key.pgp | grep
> ':user ID packet:'
> :user ID packet: "Simon Josefsson <address@hidden>"
> :user ID packet: "Simon Josefsson <address@hidden>"
>
> and it seems entirely plausible that Simon Josefsson is the only valid
> upstream release manager for libidn2.
Simon and me (Tim Rühsen <address@hidden>) - I signed the last few
upstream releases with key 0x08302DB6A2670428.
Regards, Tim
signature.asc
Description: OpenPGP digital signature