[Reportbug-maint] Bug#630086: reportbug does not sign attachments

Jameson Graef Rollins jrollins at finestructure.net
Fri Jun 10 17:16:12 UTC 2011 

Package: reportbug
Version: 5.1.1
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

When using --gpg (or the "sign" config variable) reportbug is not
signing attachments to the bug report.

This is a fairly big problem for a number of reasons.  First of all,
the attachments are not signed!  In this regard reportbug is not doing
what it claims.  If there is good reason to *not* sign attachments, it
needs to be well documented (although I can't conceive of any reason
why the attachments shouldn't also be included in the signature).

Second, it can trick people into signing content-less messages, as it
did to me recently (see #630004).  This is a fairly big security
concern, since these messages can be used in attacks on the signer or
their correspondents.

Thanks.

jamie.

- -- Package-specific info:
** Environment settings:
EDITOR="emacs -Q -nw"
INTERFACE="text"

** /home/jrollins/.reportbugrc:
reportbug_version "3.2"
realname "Jameson Graef Rollins"
email "jrollins at finestructure.net"
mode advanced
ui text
editor "emacs -nw"
sign gpg

- -- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (600, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages reportbug depends on:
ii  apt                           0.8.14.1   Advanced front-end for dpkg
ii  python                        2.6.6-14   interactive high-level object-orie
ii  python-reportbug              5.1.1      Python modules for interacting wit

reportbug recommends no packages.

Versions of packages reportbug suggests:
pn  debconf-utils                <none>      (no description available)
pn  debsums                      <none>      (no description available)
ii  dlocate                      1.02        fast alternative to dpkg -L and dp
ii  emacs23-bin-common           23.3+1-1    The GNU Emacs editor's shared, arc
ii  file                         5.04-5+b1   Determines file type using "magic"
ii  gnupg                        1.4.11-3    GNU privacy guard - a free PGP rep
ii  postfix [mail-transport-agen 2.8.3-1     High-performance mail transport ag
ii  python-gtk2                  2.24.0-1    Python bindings for the GTK+ widge
pn  python-gtkspell              <none>      (no description available)
pn  python-urwid                 <none>      (no description available)
pn  python-vte                   <none>      (no description available)
ii  xdg-utils                    1.1.0~rc1-2 desktop integration utilities from

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJN8lFaAAoJEO00zqvie6q8iJIQAIrZ8ngCBVcDfiaq+PUY++TD
HnRnTuUIEwO52xi8BD2gB/+WPZYg7uulftw7PkYPogd4XcttesjLfT9YcilDkK+T
3WxL83zswsbw4ZV62cEzX3r7gw4kINfho26NQb2jaMm3olbqL32pb4qUXTTzQnRG
pAGGpGgSDuVfDd5ylOOOA/FygzVqAAS9exqhwf3hRkCjhm6cR6VD5sUOcLYEz29a
3cz28+9FcfMH+OlrtaVu1aJQwE2EuJ5F8xJlDeFW5+j173Pt7BDXOoTybFsgSOC0
zR9SFw45/9OTrlZupzREAO8d8C+jKdBqvZPvb/3mGLqOFnsZRNcuW/1X4irOlwwM
r0fR9QizfNO3uils87r1/vwTzE3mJQe/vueO4IZ2ECyU4n16rxzI4YuKstsuXdha
hUFteBH7U4hQjHnQF8fHfE5B/3s77UnBBebaohjGSd0JyKw6kYB+l9ZebaCnhISB
TzlfXizjum14gg6p/x2M/Ct9W2KoD0HoGPEbjT+yIRBCkQ4anFUNYD0V5QXbXcWS
fJCxLuev6StlqY1qrYRttIxtTukmN2vcwzyQFz/uVTxpQtB15Ui07hSFO2+QPwyo
G1clNlhyzlXhSdnDv7EM8+mkqF6jnKzpyp2w+98NkRMKUSV7m4b77gMhiCcJmOLo
51lJpq/lLU+LFeT5qrnw
=r5OW
-----END PGP SIGNATURE-----

More information about the Reportbug-maint mailing list