repository is not signed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Shutter |
Fix Released
|
Medium
|
Mario Kemper (Romario) |
Bug Description
GScrot repository is not signed with a PGP key. If it is, there is no information about it at:
https:/
nor at:
https:/
The download page should mention which key is used to sign the packages and how to add them to the system.
Every time there is an upgrade to GScrot, the package managers warns the user that GScrot is an unsigned and therefore potentially dangerous package. It is true, someone may hack into your repository and replace the packages with his own. If you want to ensure people's trust, you have to sign your package. It is absolutely necessary for large-spread packages like GScrot.
Please sign your repository and give us information about that on the download page. Thank you.
Changed in gscrot: | |
status: | Confirmed → In Progress |
Changed in shutter: | |
status: | In Progress → Fix Released |
This is a global bug by Launchpad - not from GScrot.
sorry!
Greets - shifty
Kamil Páral schrieb: /launchpad. net/~gscrot/ +archive /answers. launchpad. net/gscrot/ +faq/275
> *** This bug is a security vulnerability ***
>
> Public security bug reported:
>
> GScrot repository is not signed with a PGP key. If it is, there is no information about it at:
> https:/
> nor at:
> https:/
>
> The download page should mention which key is used to sign the packages
> and how to add them to the system.
>
> Every time there is an upgrade to GScrot, the package managers warns the
> user that GScrot is an unsigned and therefore potentially dangerous
> package. It is true, someone may hack into your repository and replace
> the packages with his own. If you want to ensure people's trust, you
> have to sign your package. It is absolutely necessary for large-spread
> packages like GScrot.
>
> Please sign your repository and give us information about that on the
> download page. Thank you.
>
> ** Affects: gscrot
> Importance: Undecided
> Status: New
>
> ** Visibility changed to: Public
>