[Reportbug-maint] Bug#630086: reportbug does not sign attachments
Jameson Graef Rollins
jrollins at finestructure.net
Fri Jun 10 17:16:12 UTC 2011
Package: reportbug
Version: 5.1.1
Severity: normal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
When using --gpg (or the "sign" config variable) reportbug is not
signing attachments to the bug report.
This is a fairly big problem for a number of reasons. First of all,
the attachments are not signed! In this regard reportbug is not doing
what it claims. If there is good reason to *not* sign attachments, it
needs to be well documented (although I can't conceive of any reason
why the attachments shouldn't also be included in the signature).
Second, it can trick people into signing content-less messages, as it
did to me recently (see #630004). This is a fairly big security
concern, since these messages can be used in attacks on the signer or
their correspondents.
Thanks.
jamie.
- -- Package-specific info:
** Environment settings:
EDITOR="emacs -Q -nw"
INTERFACE="text"
** /home/jrollins/.reportbugrc:
reportbug_version "3.2"
realname "Jameson Graef Rollins"
email "jrollins at finestructure.net"
mode advanced
ui text
editor "emacs -nw"
sign gpg
- -- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (600, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages reportbug depends on:
ii apt 0.8.14.1 Advanced front-end for dpkg
ii python 2.6.6-14 interactive high-level object-orie
ii python-reportbug 5.1.1 Python modules for interacting wit
reportbug recommends no packages.
Versions of packages reportbug suggests:
pn debconf-utils <none> (no description available)
pn debsums <none> (no description available)
ii dlocate 1.02 fast alternative to dpkg -L and dp
ii emacs23-bin-common 23.3+1-1 The GNU Emacs editor's shared, arc
ii file 5.04-5+b1 Determines file type using "magic"
ii gnupg 1.4.11-3 GNU privacy guard - a free PGP rep
ii postfix [mail-transport-agen 2.8.3-1 High-performance mail transport ag
ii python-gtk2 2.24.0-1 Python bindings for the GTK+ widge
pn python-gtkspell <none> (no description available)
pn python-urwid <none> (no description available)
pn python-vte <none> (no description available)
ii xdg-utils 1.1.0~rc1-2 desktop integration utilities from
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJN8lFaAAoJEO00zqvie6q8iJIQAIrZ8ngCBVcDfiaq+PUY++TD
HnRnTuUIEwO52xi8BD2gB/+WPZYg7uulftw7PkYPogd4XcttesjLfT9YcilDkK+T
3WxL83zswsbw4ZV62cEzX3r7gw4kINfho26NQb2jaMm3olbqL32pb4qUXTTzQnRG
pAGGpGgSDuVfDd5ylOOOA/FygzVqAAS9exqhwf3hRkCjhm6cR6VD5sUOcLYEz29a
3cz28+9FcfMH+OlrtaVu1aJQwE2EuJ5F8xJlDeFW5+j173Pt7BDXOoTybFsgSOC0
zR9SFw45/9OTrlZupzREAO8d8C+jKdBqvZPvb/3mGLqOFnsZRNcuW/1X4irOlwwM
r0fR9QizfNO3uils87r1/vwTzE3mJQe/vueO4IZ2ECyU4n16rxzI4YuKstsuXdha
hUFteBH7U4hQjHnQF8fHfE5B/3s77UnBBebaohjGSd0JyKw6kYB+l9ZebaCnhISB
TzlfXizjum14gg6p/x2M/Ct9W2KoD0HoGPEbjT+yIRBCkQ4anFUNYD0V5QXbXcWS
fJCxLuev6StlqY1qrYRttIxtTukmN2vcwzyQFz/uVTxpQtB15Ui07hSFO2+QPwyo
G1clNlhyzlXhSdnDv7EM8+mkqF6jnKzpyp2w+98NkRMKUSV7m4b77gMhiCcJmOLo
51lJpq/lLU+LFeT5qrnw
=r5OW
-----END PGP SIGNATURE-----
More information about the Reportbug-maint
mailing list