ASDF tools/release.lisp and PGP keys
Robert Goldman
rpgoldman at sift.info
Wed Dec 22 22:00:54 UTC 2021
Thanks for the note! I'm not sure what to do about this, since I don't
use the "asdf/tools" myself. I never figured out how to debug the lisp
scripts there, so I have stuck to the old code that is based on bash and
make.
That looks like code that is probably related to the creation of Debian
packages for ASDF. No one has been doing that for years. I should
probably prune the code for doing that....
Best,
R
On 22 Dec 2021, at 10:54, Attila Lendvai wrote:
> Robert,
>
> i have this local diff:
>
> - (error "Please export variable DEBSIGN_KEYID to be the 8-hex hash of
> your GnuPG secret key")))
> + (error "Please export variable DEBSIGN_KEYID to be the 16+ digit
> hexadecimal hash of your GnuPG secret key")))
>
> there's an ongoing attack against PGP keys where a white hat hacker is
> brute-forcing the published keys to generate keys that have the same
> hash/fingerprint, or at least the last 8 digits.
>
> luckily they also publish a revocation certificate for these fake
> keys, but i recommend using longer than 8 digit fingerprints when
> identifying PGP keys.
>
> just a head's up, probably not very urgent/relevant.
>
> - attila
> PGP: 5D5F 45C7 DFCD 0A39
More information about the asdf-devel
mailing list