Control: reopen 836555 Control: tags 836555 + upstream Control: forwarded 836555 https://github.com/kivy/kivy/pull/4582
vincent cheng wrote:
> On Sat, Sep 3, 2016 at 3:40 PM, D Haley <my...@gmx.com> wrote:
>> Source: kivy
>> Version: 1.9.1-1
>> Severity: normal
>>
>> Dear Maintainer,
>>
>> Your package appears to contain commands which use a short gpg-key
>> ID. These have recently been identified as potential security concerns,
>> due to a chance that the wrong key can be imported in the case of a
>> forced key-ID collision [1].
>>
>> The affected file is:
>> /doc/sources/installation/installation-linux.rst [2]
>
> This file is not installed in any of the binary packages built by
> src:kivy. In addition, it only lists out installation steps for end
> users (and is merely documentation, not executable code), which is
> irrelevant for users who install packages directly from Debian. Hence,
> closing this bug report.
Nonetheless, this is a security vulnerability, and should at least be
reported upstream as part of debian's commitment to our users and free
software.
I've taken the time to do so with a pull request at the URL above.
Once it's fixed upstream and that upstream patch is included in debian,
then a future grep through the debian source archive for the offending
--recv-keys will be cleaned up.
Thanks for maintaining kivy in debian!
Regards,
--dkg
signature.asc
Description: PGP signature
_______________________________________________ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
