Bug#882581: libidn2: debian/upstream/signing-key.asc is 15M and contains unrelated public keys

[Simon Josefsson]

Bernhard Schmidt <address@hidden> writes:

> Control: forwarded -1 https://salsa.debian.org/debian/libidn2/merge_requests/1
> Control: tags -1 patch
>
> On Fri, Nov 24, 2017 at 10:08:41AM +0100, Tim Rühsen wrote:
>> On 11/24/2017 09:40 AM, Simon McVittie wrote:
>> > Source: libidn2
>> > Version: 2.0.4-1.1
>> > Severity: normal
>> > 
>> > libidn2 contains both debian/upstream-signing-key.pgp and
>> > debian/upstream/signing-key.asc, which appears to have been a mistake.
>> > debian/upstream/signing-key.asc also appears to have unintended content.
>> > 
>> > debian/upstream-signing-key.pgp is 72K, which seems plausible for a public
>> > key (although the filename debian/upstream/signing-key.asc is preferred,
>> > and uscan(1) recommends using gpg --export --export-options export-minimal
>> > --armor to include only the public key, user IDs and self-signatures, and
>> > not signatures by other people, to reduce the size further). It has two 
>> > user
>> > IDs:
>> > 
>> > % gpg --list-packets libidn2_2.0.4-1.1.debian/upstream-signing-key.pgp | 
>> > grep ':user ID packet:'
>> > :user ID packet: "Simon Josefsson <address@hidden>"
>> > :user ID packet: "Simon Josefsson <address@hidden>"
>> > 
>> > and it seems entirely plausible that Simon Josefsson is the only valid
>> > upstream release manager for libidn2.
>> 
>> Simon and me (Tim Rühsen <address@hidden>) - I signed the last few
>> upstream releases with key 0x08302DB6A2670428.
>
> I have made the proposed changes in a seperate branch and added a merge
> request on Salsa.

Merged now, thank you!

/Simon

signature.asc
Description: PGP signature