Lately I've been noticing a number of messages on the debian-security-announce list with bad gpg signatures. I compared these messages to the same ones posted to the web archives and discovered that they were not identical. Interestingly, the messages in the archives had GOOD signatures, while the ones being posted to the list often do not.
The difference is in the section that looks like this in the emails with the bad signatures: Package: modutils Problem type : local buffer overflow Debian-specific: no Add some spaces to the Package line so that the ":" lines up with the following lines: Package : modutils Problem type : local buffer overflow Debian-specific: no and gpg reports a good signature. This problem isn't happening on every announcement, but enough that it's getting annoying. Good signatures are vital, particularly on that list, so that readers can feel confident that the security announcements are authentic. Walt
