Your message dated Tue, 11 Jul 2017 11:20:22 +0000
with message-id <[email protected]>
and subject line Bug#781595: fixed in xdeb 0.6.7
has caused the Debian Bug report #781595,
regarding xdeb: disables apt's signature checks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
781595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781595
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: src:xdeb
Version: 0.6.6
Severity: grave
Tags: security

According to xdeb's documentation it uses apt to download source
packages and defaults to using the system's sources.list, that is
usually remote repositories.

However xdeb disables apt's signature checking:

+---
|     apt_pkg.config.set('APT::Get::AllowUnauthenticated', str(True))
+---[ http://sources.debian.net/src/xdeb/0.6.6/aptutils.py/?hl=159#L159 ]

I assume (but did not verify) that this means xdeb will not complain
about a compromised remote repository and build potentially malicous
packages.

Ansgar

--- End Message ---
--- Begin Message ---
Source: xdeb
Source-Version: 0.6.7

We believe that the bug you reported is fixed in the latest version of
xdeb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Loïc Minier <[email protected]> (supplier of updated xdeb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 11 Jul 2017 13:04:29 +0200
Source: xdeb
Binary: xdeb
Architecture: source all
Version: 0.6.7
Distribution: unstable
Urgency: low
Maintainer: Wookey <[email protected]>
Changed-By: Loïc Minier <[email protected]>
Description:
 xdeb       - Cross-build tool for Debian packages
Closes: 781595
Changes:
 xdeb (0.6.7) unstable; urgency=low
 .
   [ Colin Watson ]
   * Use next(iterator) rather than iterator.next().
   * Use "key in dict" rather than "dict.has_key(key)".
   * Make code style more or less conform to PEP-8.
   * Simplify utils.file_on_path.
   * Use dict.items rather than dict.iteritems to simplify porting to Python
     3; the performance impact should be negligible here.
   * Simplify sorting in various places by relying on the default iteration
     protocol for mappings.
   * Use io.StringIO if cStringIO.StringIO is not available.
   * Rephrase MyPkgRelation.parse_relations using list comprehensions:
     arguably clearer, and works in both Python 2 and 3.
   * Adjust GraphCycleError.__str__ to work in Python 3.
   * Drop support for debian_bundle from python-debian (<< 0.1.15).
   * Use configparser rather than ConfigParser if available.
   * Remove __pycache__ directories on clean.
   * Pass universal_newlines=True to subprocess.Popen to get Unicode output
     in Python 3.
   * Suppress pychecker warnings from the standard library.
   * Set source format to 3.0 (native).
   * Canonicalise the path to the GPL text in debian/copyright.
   * Set [trusted=yes] for our local repository, and enable APT
     authentication otherwise (closes: #781595).
   * Use context managers where appropriate.
 .
   [ Loïc Minier ]
   * More PEP8 fixes.
   * pyflakes fix.
   * Run pyflakes as part of testsuite if it's available.
   * Run pep8 as part of testsuite if it's available.
   * Fix pychecker warning in tests.
   * Run pychecker as part of testsuite if it's available.
   * Test that we're running pychecker on all *.py files.
   * Also run pychecker on tests.
   * Clean __pycache__ in Makefile rather than debian/rules.
   * Bump Standards-Version to 4.0.0.
   * Remove myself from uploaders.
   * Bump Debhelper compat level and build-dep to 10.
   * Build-depend on dh-python.
   * Remove Colin Watson and Steve Langasek from Uploaders with their
     agreement.
   * Add .pm suffix to checks/xdeb.
   * Use Lintian::Util instead of Util in Lintian check.
   * Updated to latest Lintian checks API, except for tag suppression
     which would need to be ported to Lintian profiles.
   * Fix ARM file magic detection (allow for "EABI5").
Checksums-Sha1:
 5feac2c471947790b03fea30459bc42a791e1cf9 1450 xdeb_0.6.7.dsc
 9e6e61d13f9182fd4461e17dfe553d74db6b2fdf 44436 xdeb_0.6.7.tar.xz
 e8acb335113cb66934e5c07f4082e16f39cb40b6 36134 xdeb_0.6.7_all.deb
 dccb7f7b918ec8bcb654dc5612c4553cdd297b92 5863 xdeb_0.6.7_amd64.buildinfo
Checksums-Sha256:
 0b9d71ddef6cbb2f445b90db7a080d1bc42580e3f4bf2544a90096f9b22ac68d 1450 
xdeb_0.6.7.dsc
 10af024b6d5cbefddbfb10437023febf77fd0ba44c1d2162f6735290532058d5 44436 
xdeb_0.6.7.tar.xz
 99fc4287049b99808b60a4c2e42fa4d80ab368f28d0ed46e215a4034e9874383 36134 
xdeb_0.6.7_all.deb
 8c49cdbf523468d27a72c3223faf6e74d832dd65f5df43dd011cc3ab6923e406 5863 
xdeb_0.6.7_amd64.buildinfo
Files:
 218d382ef4bfc4b1741e7c6087519d6e 1450 devel optional xdeb_0.6.7.dsc
 6b4268e066fe2e419f69a1747bd62768 44436 devel optional xdeb_0.6.7.tar.xz
 31a2f9088ec6d3c2193bbc0ef86b2683 36134 devel optional xdeb_0.6.7_all.deb
 2de8f449842672afb1791ca2f8a2c90d 5863 devel optional xdeb_0.6.7_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZZLF2AAoJEPEUCEwIYRERp+IP+gJty5jD7WD8s6iSeh9fW9t6
ZhHK9bufnjQWFzbX8vaQQQADTGnUDd1Pr1Lb1HzmSZzRUR+dCIyHIwP+dSGCBfRp
vNHf7A7Aj0fMtg9x56mZBpTwKDcQ9YkljHBRofMTIZNlrBv+jhBxlQlVourT24Ev
I0vgA6WWYhSDv14IilJO436hwnFB4NLEH5aoGSFoG1L+MI8LPzK4riiDCSeIL4xK
Q7iu/D0wjZDcknArRbP/AmGYWewp7FiX4GfoUkPeKavsw1PlEz4dJOg31JmowLMm
vHGkBXkUXVC1dxWNGA01VK6E04CypWS2NNYOg/WC2lnD/E+qKtpIN1+KIxRZUsIO
PqycTdKsHcuB6XDN3EDHlUa02bi2GI9uQu+ySjDSpi0TwX0yufkFkKhGTfMdkuZN
DrA76RRnBgXxAiywMPZtl+ULE/goDV1BYROMi0wmX9SOeNKvsc9NAwLa1hnyzOMB
NzEIuZMAtqX/CZ1RhZWR+UpdXM0j0wO79sRksb1ZL9Mu1P/07dF4JaF3ByBlOcB+
QWye+9POlrejnEzFToGj9XMPM3C61kEJ+TZ9hu5zN4AxrL/RpOM62I7T1Zg69Gk/
62TH9lR/Iy+cwquPKvuRaxw8m0zve7ySKAl3mmHhU4SY8g/AffEBksIPnx7qkmB8
oV2PU+IRgiXzgfTXIAIM
=zb89
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to