lazr.delegates

No chain of trust between 2.0.4 and 2.1.0

Bug #2012367 reported by David Runge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lazr.delegates
Fix Released
Low
Colin Watson

Bug Description

Hi! I package this project for Arch Linux.

To mitigate supply chain attacks (https://en.wikipedia.org/wiki/Supply_chain_attack) downstreams make an effort to verify signatures made for sources that they build from.

While 2.0.4 has been signed by AC0A4FF12611B6FCCF01C111393587D97D86500B (Colin Watson <email address hidden>), 2.1.0 is now signed by 760D8F2C93E9CA8562E4A00E75D673C2DD1FB761 (Jürgen Gmach <email address hidden>).

The latter userid (http://keyserver.ubuntu.com/pks/lookup?search=760D8F2C93E9CA8562E4A00E75D673C2DD1FB761&fingerprint=on&op=index) unfortunately has no signature from the former PGP key (http://keyserver.ubuntu.com/pks/lookup?search=AC0A4FF12611B6FCCF01C111393587D97D86500B&fingerprint=on&op=index), which means that the chain of trust (https://en.wikipedia.org/wiki/Chain_of_trust) is now broken.

Please ensure, that the chain of trust remains intact between releases, else signing the sources is rather meaningless (as anyone can claim a to be a certain userid on an arbitrary key).
To do so, please have the previous key sign the current userid on the new key, so that external parties can verify its validity.

In the current state this prevents me from upgrading to 2.1.0 until this is cleared up.

Guruprasad (lgp171188)
Changed in lazr.delegates:
status: New → Triaged
importance: Undecided → Low
assignee: nobody → Colin Watson (cjwatson)
Revision history for this message
Jürgen Gmach (jugmac00) wrote :

Processed as requested.

Changed in lazr.delegates:
status: Triaged → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote :

Just note that I don't think that maintaining an OpenPGP chain of trust from each release to the next is something we can always 100% commit to; there are various easy-to-imagine circumstances where it might not be possible. However, it was easy enough to repair in this particular case.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.