Launchpad itself

gpg metadata on inline signed bug mail is shown in web UI and forwarded in mail

Bug #161822 reported by John A Meinel
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Triaged
Low
Unassigned

Bug Description

When creating a new bug in Malone, you need to use a gpg-signed email (at least as I understand it).

However, the parser does not strip the GPG headers, so you end up with bug reports that look like bug #133751.

This is somewhat similar to bug #2653, but in a different vein.

It might also be possible to just hide them, like you do with hiding the quoted sections in replies. I would also recommend hiding control section:
X affects /products/bzr
X status triaged
X importance medium

See also bug 190758, about verifying the GPG signature.

See original description
Matthew Paul Thomas (mpt)
Changed in malone:
importance: Undecided → Medium
status: New → Confirmed
Matthew Paul Thomas (mpt)
description: updated
Revision history for this message
petski (petski) wrote :

Would be nice to fold the PGP signature, just like the behavior with "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1" is.

Revision history for this message
Loïc Minier (lool) wrote :
Download full text (3.4 KiB)

Hi

This is actually an important issue: when using Mutt, it will skip all the non-PGP data and only display the PGP-signed data. This means that I only get to see the original report in all comments-mail I get from a bug which was filed using a PGP-signed mail. All emails are of the form:
...
X-Launchpad-Hash: e967072fc1a2b9bbb869f42062bc15bd6b1d393e
Content-Type: application/pgp; format=text; x-action=sign

As it turns out, UNR does not require xautomation, so I'll be unseeding
it, and I'll set the task to Invalid. Alexander, sorry for wasting your
time. :-(

** Changed in: xautomation (Ubuntu)
       Status: Fix Committed =3D> Invalid

-- =

[MIR] UNR packages
https://bugs.launchpad.net/bugs/392410
You received this bug notification because you are a member of UNR in
Ubuntu, which is a direct subscriber.

Status in =E2=80=9Ccellwriter=E2=80=9D package in Ubuntu: Invalid
Status in =E2=80=9Ccheese=E2=80=9D package in Ubuntu: New
Status in =E2=80=9Cclutter=E2=80=9D package in Ubuntu: New
Status in =E2=80=9Cclutter-gtk=E2=80=9D package in Ubuntu: New
Status in =E2=80=9Cdesktop-switcher=E2=80=9D package in Ubuntu: Fix Committ=
ed
Status in =E2=80=9Cfbreader=E2=80=9D package in Ubuntu: Incomplete
Status in =E2=80=9Cgo-home-applet=E2=80=9D package in Ubuntu: Fix Committed
Status in =E2=80=9Chuman-netbook-theme=E2=80=9D package in Ubuntu: New
Status in =E2=80=9Clibfakekey=E2=80=9D package in Ubuntu: Fix Committed
Status in =E2=80=9Cliblinebreak=E2=80=9D package in Ubuntu: New
Status in =E2=80=9Cmaximus=E2=80=9D package in Ubuntu: Fix Committed
Status in =E2=80=9Cnetbook-launcher=E2=80=9D package in Ubuntu: New
Status in =E2=80=9Cubuntu-netbook-remix-default-settings=E2=80=9D package i=
n Ubuntu: Fix Committed
Status in =E2=80=9Cunr-meta=E2=80=9D package in Ubuntu: Fix Committed
Status in =E2=80=9Cwebfav=E2=80=9D package in Ubuntu: Fix Committed
Status in =E2=80=9Cwindow-picker-applet=E2=80=9D package in Ubuntu: Fix Com=
mitted
Status in =E2=80=9Cxautomation=E2=80=9D package in Ubuntu: Invalid
Status in =E2=80=9Cxf86-input-evtouch=E2=80=9D package in Ubuntu: Invalid

Bug description:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

>-------This is the set of packages contained in UNR that aren't in main that
need to be looked at to be promoted to main. MIRs will be forthcoming.

 affects ubuntu/cellwriter
 affects ubuntu/cheese
 affects ubuntu/clutter
 affects ubuntu/clutter-gtk
 affects ubuntu/desktop-switcher
 affects ubuntu/fbreader
 affects ubuntu/go-home-applet
 affects ubuntu/human-netbook-theme
 affects ubuntu/libfakekey
 affects ubuntu/liblinebreak
 affects ubuntu/maximus
 affects ubuntu/netbook-launcher
 affects ubuntu/ubuntu-netbook-remix-default-settings
 affects ubuntu/webfav
 affects ubuntu/window-picker-applet
 affects ubuntu/xautomation
 affects ubuntu/xf86-input-evtouch

 subscribe ubuntu-mir
 subscribe davidm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpEa7wACgkQCfB0CMh//C8yCACaA623VgJBOJMH6krlhBCag9QL
tUIAoIz0mQc7/PLmTf0vMUYwak5u6pB2
=3DLkUG
-----END P...

Read more...

Revision history for this message
Micah Gersten (micahg) wrote :

Don't know if you want to change the subject, but this also occurs when replying to bugs as well as creating new ones.

Revision history for this message
John A Meinel (jameinel) wrote : Re: [Bug 161822] Re: new bugs by email requires gpg signature but does not strip it from bug report

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Micah Gersten wrote:
> Don't know if you want to change the subject, but this also occurs when
> replying to bugs as well as creating new ones.
>

Well, replies aren't *required* to have them like new bug postings are,
so it is slightly different.

I'm fine with it hiding/stripping gpg signatures on replies. The
original concern was that

1) In order to request a new bug *at all* you had to use a gpg signature
2) The signatures were not stripped from the request email

thus

3) You always had a gpg signature on the description for any bug that
was reported by email.

John
=:->

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkpnHXAACgkQJdeBCYSNAAOiugCeIznaTO0K/8HNIfzcVEO17qsz
rJ0AnA0mLKjO5B8YZ+hsXV4EiGAEAKqn
=IP3h
-----END PGP SIGNATURE-----

Revision history for this message
Sidnei da Silva (sidnei) wrote : Re: new bugs by email requires gpg signature but does not strip it from bug report

The same issue happens with review comments in merge proposals.

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

SIdnei, I think that would be better filed as a separate bug.

Changed in launchpad-code:
status: New → Triaged
importance: Undecided → Medium
Robert Collins (lifeless)
summary: - new bugs by email requires gpg signature but does not strip it from bug
- report
+ gpg metadata on inline signed bug mail is shown in web UI and forwarded
+ in mail
Changed in launchpad:
importance: Medium → Low
Revision history for this message
John A Meinel (jameinel) wrote : Re: [Bug 161822] Re: gpg metadata on inline signed bug mail is shown in web UI and forwarded in mail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/9/2011 8:30 AM, Robert Collins wrote:
> ** Summary changed:
>
> - new bugs by email requires gpg signature but does not strip it from bug report
> + gpg metadata on inline signed bug mail is shown in web UI and forwarded in mail
>
> ** Changed in: launchpad
> Importance: Medium => Low
>

Except in non description fields it *does* hide the GPG signature portions.

So this is specific to the initial "Description" field.

John
=:->

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2gFYQACgkQJdeBCYSNAAP+BACgiL5P7DdOqzleoWklXrTHNgy+
xXoAoJ2r1AbaXn8oV9NPsckAY40V1+dw
=yQC9
-----END PGP SIGNATURE-----

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.