gpg metadata on inline signed bug mail is shown in web UI and forwarded in mail

Bug #161822 reported by John A Meinel on 2007-11-10
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Low
Unassigned

Bug Description

When creating a new bug in Malone, you need to use a gpg-signed email (at least as I understand it).

However, the parser does not strip the GPG headers, so you end up with bug reports that look like bug #133751.

This is somewhat similar to bug #2653, but in a different vein.

It might also be possible to just hide them, like you do with hiding the quoted sections in replies. I would also recommend hiding control section:
X affects /products/bzr
X status triaged
X importance medium

See also bug 190758, about verifying the GPG signature.

Changed in malone:
importance: Undecided → Medium
status: New → Confirmed
description: updated
petski (petski) wrote :

Would be nice to fold the PGP signature, just like the behavior with "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1" is.

Loïc Minier (lool) wrote :
Download full text (3.4 KiB)

Hi

This is actually an important issue: when using Mutt, it will skip all the non-PGP data and only display the PGP-signed data. This means that I only get to see the original report in all comments-mail I get from a bug which was filed using a PGP-signed mail. All emails are of the form:
...
X-Launchpad-Hash: e967072fc1a2b9bbb869f42062bc15bd6b1d393e
Content-Type: application/pgp; format=text; x-action=sign

As it turns out, UNR does not require xautomation, so I'll be unseeding
it, and I'll set the task to Invalid. Alexander, sorry for wasting your
time. :-(

** Changed in: xautomation (Ubuntu)
       Status: Fix Committed =3D> Invalid

-- =

[MIR] UNR packages
https://bugs.launchpad.net/bugs/392410
You received this bug notification because you are a member of UNR in
Ubuntu, which is a direct subscriber.

Status in =E2=80=9Ccellwriter=E2=80=9D package in Ubuntu: Invalid
Status in =E2=80=9Ccheese=E2=80=9D package in Ubuntu: New
Status in =E2=80=9Cclutter=E2=80=9D package in Ubuntu: New
Status in =E2=80=9Cclutter-gtk=E2=80=9D package in Ubuntu: New
Status in =E2=80=9Cdesktop-switcher=E2=80=9D package in Ubuntu: Fix Committ=
ed
Status in =E2=80=9Cfbreader=E2=80=9D package in Ubuntu: Incomplete
Status in =E2=80=9Cgo-home-applet=E2=80=9D package in Ubuntu: Fix Committed
Status in =E2=80=9Chuman-netbook-theme=E2=80=9D package in Ubuntu: New
Status in =E2=80=9Clibfakekey=E2=80=9D package in Ubuntu: Fix Committed
Status in =E2=80=9Cliblinebreak=E2=80=9D package in Ubuntu: New
Status in =E2=80=9Cmaximus=E2=80=9D package in Ubuntu: Fix Committed
Status in =E2=80=9Cnetbook-launcher=E2=80=9D package in Ubuntu: New
Status in =E2=80=9Cubuntu-netbook-remix-default-settings=E2=80=9D package i=
n Ubuntu: Fix Committed
Status in =E2=80=9Cunr-meta=E2=80=9D package in Ubuntu: Fix Committed
Status in =E2=80=9Cwebfav=E2=80=9D package in Ubuntu: Fix Committed
Status in =E2=80=9Cwindow-picker-applet=E2=80=9D package in Ubuntu: Fix Com=
mitted
Status in =E2=80=9Cxautomation=E2=80=9D package in Ubuntu: Invalid
Status in =E2=80=9Cxf86-input-evtouch=E2=80=9D package in Ubuntu: Invalid

Bug description:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

>-------This is the set of packages contained in UNR that aren't in main that
need to be looked at to be promoted to main. MIRs will be forthcoming.

 affects ubuntu/cellwriter
 affects ubuntu/cheese
 affects ubuntu/clutter
 affects ubuntu/clutter-gtk
 affects ubuntu/desktop-switcher
 affects ubuntu/fbreader
 affects ubuntu/go-home-applet
 affects ubuntu/human-netbook-theme
 affects ubuntu/libfakekey
 affects ubuntu/liblinebreak
 affects ubuntu/maximus
 affects ubuntu/netbook-launcher
 affects ubuntu/ubuntu-netbook-remix-default-settings
 affects ubuntu/webfav
 affects ubuntu/window-picker-applet
 affects ubuntu/xautomation
 affects ubuntu/xf86-input-evtouch

 subscribe ubuntu-mir
 subscribe davidm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpEa7wACgkQCfB0CMh//C8yCACaA623VgJBOJMH6krlhBCag9QL
tUIAoIz0mQc7/PLmTf0vMUYwak5u6pB2
=3DLkUG
-----END P...

Read more...

Micah Gersten (micahg) wrote :

Don't know if you want to change the subject, but this also occurs when replying to bugs as well as creating new ones.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Micah Gersten wrote:
> Don't know if you want to change the subject, but this also occurs when
> replying to bugs as well as creating new ones.
>

Well, replies aren't *required* to have them like new bug postings are,
so it is slightly different.

I'm fine with it hiding/stripping gpg signatures on replies. The
original concern was that

1) In order to request a new bug *at all* you had to use a gpg signature
2) The signatures were not stripped from the request email

thus

3) You always had a gpg signature on the description for any bug that
was reported by email.

John
=:->

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkpnHXAACgkQJdeBCYSNAAOiugCeIznaTO0K/8HNIfzcVEO17qsz
rJ0AnA0mLKjO5B8YZ+hsXV4EiGAEAKqn
=IP3h
-----END PGP SIGNATURE-----

The same issue happens with review comments in merge proposals.

Michael Hudson-Doyle (mwhudson) wrote :

SIdnei, I think that would be better filed as a separate bug.

Changed in launchpad-code:
status: New → Triaged
importance: Undecided → Medium
summary: - new bugs by email requires gpg signature but does not strip it from bug
- report
+ gpg metadata on inline signed bug mail is shown in web UI and forwarded
+ in mail
Changed in launchpad:
importance: Medium → Low

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/9/2011 8:30 AM, Robert Collins wrote:
> ** Summary changed:
>
> - new bugs by email requires gpg signature but does not strip it from bug report
> + gpg metadata on inline signed bug mail is shown in web UI and forwarded in mail
>
> ** Changed in: launchpad
> Importance: Medium => Low
>

Except in non description fields it *does* hide the GPG signature portions.

So this is specific to the initial "Description" field.

John
=:->

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2gFYQACgkQJdeBCYSNAAP+BACgiL5P7DdOqzleoWklXrTHNgy+
xXoAoJ2r1AbaXn8oV9NPsckAY40V1+dw
=yQC9
-----END PGP SIGNATURE-----

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers