Roundup Tracker - Issues

Message8417

Author rouilj
Recipients ThomasAH, rouilj
Date 2025-12-07.22:23:22
Message-id <1765146202.63.0.911398991616.issue2551152@roundup-tracker.org>
In-reply-to 
Initial attempt at docs added in changeset:   8478:ed4ef394d5d6

Note that importing pgp keys can cause issues like DOS/resource consumption
ref: https://nvd.nist.gov/vuln/detail/CVE-2022-3219.

This makes supporting user driven addition of a key (via public key file upload on the
user object) or setting KEYID for import from a keyserver untenable.

In the docs I added suggestion to load into a throwaway keystore so they can be analyzed
for excessive sigs or the import can be aborted without accessing the production keystore.

AFAICT, there is no way to have a public key in a file and use --list-signs. It has to be
--import (ed) for --list-sigs to work.
History
Date User Action Args
2025-12-07 22:23:22rouiljsetmessageid: <1765146202.63.0.911398991616.issue2551152@roundup-tracker.org>
2025-12-07 22:23:22rouiljsetrecipients: + rouilj, ThomasAH
2025-12-07 22:23:22rouiljlinkissue2551152 messages
2025-12-07 22:23:22rouiljcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020