Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
The emdebian-archive-keyring needs a security fix. Having talked with the security team, it does not need a DSA, just a new upload which revokes the only key in the keyring package. The emdebian.org server has recently been replaced and no longer uses the key from the old server. The old server had stopped running builds, updates or mirror pushes and was subsequently compromised before being decommissioned. emdebian.org is now running on a new server but the website needs updates. The repositories formerly signed by this key have not been updated for some time - emdebian grip has ceased updates and the toolchains have moved to Debian experimental. There is no evidence that the files on the mirrors have been changed since the compromise as the mirror push had already been disabled some months prior. The revocation of 0x97BB3B58 has already been uploaded to keyservers. Please let me know if an unblock would be accepted for emdebian-archive-keyring. The debdiff is attached and includes a NEWS file about the change. An update of the package in stable will also be required. Once Jessie is released with this update, emdebian-archive-keyring will be removed from Sid and Stretch. Please let me know whether you need a bug in the BTS just for this or whether the security fix can be unblocked without it. unblock emdebian-archive-keyring/2.0.4 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 armhf arm64 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash
diffstat for emdebian-archive-keyring-2.0.3 emdebian-archive-keyring-2.0.4 0x97BB3B58.txt | 48 +++++++++++++++++++++++++----------------------- debian/NEWS | 14 ++++++++++++++ debian/changelog | 6 ++++++ 3 files changed, 45 insertions(+), 23 deletions(-) diff -Nru emdebian-archive-keyring-2.0.3/0x97BB3B58.txt emdebian-archive-keyring-2.0.4/0x97BB3B58.txt --- emdebian-archive-keyring-2.0.3/0x97BB3B58.txt 2011-03-27 07:14:09.000000000 +0100 +++ emdebian-archive-keyring-2.0.4/0x97BB3B58.txt 2014-11-27 09:26:06.000000000 +0000 @@ -1,5 +1,5 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.6 (GNU/Linux) +Version: GnuPG v1 mQGiBEY1QygRBACUM8ypZIqJu1O/jjmZJ2XmVHPUMygzcAOXfOsfLBaIz5UmYOCc 22iFN5Milj4hEpgrVnyGgXZh1vA2xbxGZNdjMfge7z0Bvf93RM6gzVnU4EXWu4sW @@ -9,26 +9,28 @@ lncL6e8+b8gG8f+asV2JbdpZCR4KiDyko6VCWZswqpKytrgK+hK+ECS5Mre1Oy+Z RuaFBACJcxP4h4M0J1vY0wzlXUw81u+BNJkGanW57JIsP/mwvR4MqLfyi7tAmuPX L6/aWsLvLGYZlFJynZ+1mXXoRUevCGcEc9gK/dpTKVYLRsS0TtNXwaY4hwF7QpBb -gh6Bx/TDBHYjADaYu2EZcwFI29kgwAfwAfyabB/hCfKHT12D5rQcRW1kZWJpYW4g -QXJjaGl2ZSBTaWduaW5nIEtleYhgBBMRAgAgBQJGNUMoAhsDBgsJCAcDAgQVAggD -BBYCAwECHgECF4AACgkQtbdyAJe7O1gTpgCgv5hYIBB7STKXAzNkQzhDzvMrJM4A -oMABwK3Q948TDKFKIWu2yDJ9KAjBiEUEEBECAAYFAkY3M/4ACgkQIWclcBdP7jX7 -HwCcDWmGKUTkRA+GA3d81BW7lwRzSPgAmL2SVYU8VK+TpwLzUbWn2EGkBUWIRgQQ -EQIABgUCRjZfwwAKCRCIAQlKKLyz45evAJ4qfetNIo1MWcqM8rA6OyN0vkFV/ACg -8/5CZw4oLOHuq4+WIbbpHDiV37SIRgQQEQIABgUCRjZf2QAKCRCTsNWvqJf9Asix -AJ9e3zbMLmBxi0dZng3MmiBF0ex6qgCcDWGwW16fPG+XN28ewH8k+WSoS0u5Ag0E -RjVDKhAIAMPHsF7MCR/bgzmznXVXV1QuIDHR9NTAGqFiaGMBKK26rHSN8Wds3zPW -R/MBvkCknn9MwW2a4B7Vrdz9RAg3cUYmSYbHBNDtCTV8b14fNAoc3nsjblgZ+/+0 -zDvR9ZNv3cUBaCqJ1hlZqZbOWi1XPTv2r2CRe2A6q9oGj54NmpSIO7EcH2yYcx0G -TafY4ZDqZha3kmzLSq1gh2s5kph9NyB2pBu31pY3PDPKkxE6+ZAWb6oHZUaKOtr4 -aXnqLxYzSi6Wv3kS5xXS+ZbCv5lz/KlTTIlLRm86wvwRnqGqjBGH4knyB+VKtxlR -/T+aRQxCMSIICYzpfvM+O8a+hH9Z+zMAAwYIAMFAqo9dmRfc7BPLhRxb9erSaEhx -b05lwiDyzPP6B5hcK8t8S/L4k9HwOXoYfnR7/GqUjSj4dYZ5uLlTLOASMpv+5Yq4 -EmPhuqKWM7MAK0uQXVsxSktswNHEHb5c3H8VfQJvpUdelnJdSfqttKvz9Cm1rtPR -KylIK/naQJlZ5XxuAcV+PDcWOHq6B2uV2aG5CGT2yVM9VjxIkMLBPGXxPjPIKKZk -y1TTdOdQdGvSyNOu4gd0o+4i07IZSXBsHarFPTKGoAZ+YsKRJ3ODAKeKnYXIQQf/ -OmmHdkKOfRkVDogZyKHVhSNVEOZ4NyZwbjXc8FtKGOUYvXcpjuxqzqRckteISQQY -EQIACQUCRjVDKgIbDAAKCRC1t3IAl7s7WNO0AJ0aws9mKLgL0CQKvAKs5UBmpgAT -XQCfdqJCUVSEsRcihgP8VfOpPeXm0Vs= -=yQ2U +gh6Bx/TDBHYjADaYu2EZcwFI29kgwAfwAfyabB/hCfKHT12D5ohJBCARCgAJBQJU +cueVAh0CAAoJELW3cgCXuztYfq0An07hWjCfb5DuCbWVYyF1Q/j56gBmAJ9x33CB +dPq3IxPOiL3MdLh8tv1H07QcRW1kZWJpYW4gQXJjaGl2ZSBTaWduaW5nIEtleYhg +BBMRAgAgBQJGNUMoAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQtbdyAJe7 +O1gTpgCgv5hYIBB7STKXAzNkQzhDzvMrJM4AoMABwK3Q948TDKFKIWu2yDJ9KAjB +iEUEEBECAAYFAkY3M/4ACgkQIWclcBdP7jX7HwCcDWmGKUTkRA+GA3d81BW7lwRz +SPgAmL2SVYU8VK+TpwLzUbWn2EGkBUWIRgQQEQIABgUCRjZfwwAKCRCIAQlKKLyz +45evAJ4qfetNIo1MWcqM8rA6OyN0vkFV/ACg8/5CZw4oLOHuq4+WIbbpHDiV37SI +RgQQEQIABgUCRjZf2QAKCRCTsNWvqJf9AsixAJ9e3zbMLmBxi0dZng3MmiBF0ex6 +qgCcDWGwW16fPG+XN28ewH8k+WSoS0u5Ag0ERjVDKhAIAMPHsF7MCR/bgzmznXVX +V1QuIDHR9NTAGqFiaGMBKK26rHSN8Wds3zPWR/MBvkCknn9MwW2a4B7Vrdz9RAg3 +cUYmSYbHBNDtCTV8b14fNAoc3nsjblgZ+/+0zDvR9ZNv3cUBaCqJ1hlZqZbOWi1X +PTv2r2CRe2A6q9oGj54NmpSIO7EcH2yYcx0GTafY4ZDqZha3kmzLSq1gh2s5kph9 +NyB2pBu31pY3PDPKkxE6+ZAWb6oHZUaKOtr4aXnqLxYzSi6Wv3kS5xXS+ZbCv5lz +/KlTTIlLRm86wvwRnqGqjBGH4knyB+VKtxlR/T+aRQxCMSIICYzpfvM+O8a+hH9Z ++zMAAwYIAMFAqo9dmRfc7BPLhRxb9erSaEhxb05lwiDyzPP6B5hcK8t8S/L4k9Hw +OXoYfnR7/GqUjSj4dYZ5uLlTLOASMpv+5Yq4EmPhuqKWM7MAK0uQXVsxSktswNHE +Hb5c3H8VfQJvpUdelnJdSfqttKvz9Cm1rtPRKylIK/naQJlZ5XxuAcV+PDcWOHq6 +B2uV2aG5CGT2yVM9VjxIkMLBPGXxPjPIKKZky1TTdOdQdGvSyNOu4gd0o+4i07IZ +SXBsHarFPTKGoAZ+YsKRJ3ODAKeKnYXIQQf/OmmHdkKOfRkVDogZyKHVhSNVEOZ4 +NyZwbjXc8FtKGOUYvXcpjuxqzqRckteISQQYEQIACQUCRjVDKgIbDAAKCRC1t3IA +l7s7WNO0AJ0aws9mKLgL0CQKvAKs5UBmpgATXQCfdqJCUVSEsRcihgP8VfOpPeXm +0Vs= +=aGyf -----END PGP PUBLIC KEY BLOCK----- diff -Nru emdebian-archive-keyring-2.0.3/debian/changelog emdebian-archive-keyring-2.0.4/debian/changelog --- emdebian-archive-keyring-2.0.3/debian/changelog 2012-03-24 09:27:59.000000000 +0000 +++ emdebian-archive-keyring-2.0.4/debian/changelog 2014-11-27 09:25:43.000000000 +0000 @@ -1,3 +1,9 @@ +emdebian-archive-keyring (2.0.4) unstable; urgency=medium + + * Revoke 0x97BB3B58 and disable the keyring. + + -- Neil Williams <codeh...@debian.org> Thu, 27 Nov 2014 09:25:41 +0000 + emdebian-archive-keyring (2.0.3) unstable; urgency=low * Use working directory as GNUPG homedir and clean up the diff -Nru emdebian-archive-keyring-2.0.3/debian/NEWS emdebian-archive-keyring-2.0.4/debian/NEWS --- emdebian-archive-keyring-2.0.3/debian/NEWS 1970-01-01 01:00:00.000000000 +0100 +++ emdebian-archive-keyring-2.0.4/debian/NEWS 2014-11-27 09:33:22.000000000 +0000 @@ -0,0 +1,14 @@ +emdebian-archive-keyring (2.0.4) unstable; urgency=medium + + The only key in this keyring has been revoked due to a + possible compromise on the server which was due for + replacement. + . + Emdebian Grip is no longer being updated and the toolchain + repository has not been updated since before the compromise + as work is ongoing for multiarch-compliant toolchains in + Debian. + . + There is no replacement key for this keyring. + + -- Neil Williams <codeh...@debian.org> Thu, 27 Nov 2014 09:27:56 +0000
