Debian Bug report logs - #345823
apt: Key error at year turnover resembles security problem, and may represent one

version graph

Package: apt; Maintainer for apt is APT Development Team <deity@lists.debian.org>; Source for apt is src:apt.

Reported by: Joshua Rodman <jrodman@debbugs.spamportal.net>

Date: Tue, 3 Jan 2006 19:03:07 UTC

Severity: serious

Tags: d-i

Merged with 345891, 345956, 346002, 347540

Found in version apt/0.6.43

Fixed in version 0.6.43.1

Done: Joey Hess <joeyh@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345823; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Joshua Rodman <jrodman@debbugs.spamportal.net>:
New Bug report received and forwarded. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joshua Rodman <jrodman@debbugs.spamportal.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt: Key error at year turnover resembles security problem, and may represent one
Date: Tue, 3 Jan 2006 10:58:28 -0800
Package: apt
Version: 0.6.43
Severity: normal


Since the year has turned over, apt-get update now produces the error: 
[...]
Reading package lists... Done
W: GPG error: http://http.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
W: GPG error: http://http.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

Because the release key is not provided via an automated mechanism.
Leaveing aside that the means for getting a new key are not documented
in /usr/share/doc/apt or apt-doc, there is the additional issue that
undocumented, this looks like the debian servers may be compromised.

Secondarily, the recipes I can find for updating to the new release key
do not make clear whether the new release key is verifiable in any way.
I am worried that debian may be violating its trust model once a year.

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Default-Release "testing";
APT::Cache-Limit "10000000";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi";
DPkg::Post-Invoke:: "if [ -x /usr/sbin/localepurge ] && [ $(ps w -p $PPID | grep -c remove) != 1 ]; then /usr/sbin/localepurge; else exit 0; fi";
Acquire "";
Acquire::http "";
Acquire::http::Pipeline-Depth "3";

-- /etc/apt/preferences --

Package: *
Pin: release a=testing
Pin-Priority: 900

Package: *
Pin: release a=etch
Pin-Priority: 900

Package: *
Pin: release o=Debian
Pin-Priority: -10


-- /etc/apt/sources.list --

deb file:/var/cache/apt-build/repository apt-build main
# Testing sources
deb http://http.us.debian.org/debian/ testing main contrib non-free
# sonic mirrors binaries (slowly!!!)
#deb ftp://ftp.sonic.net/mirrors/debian/ testing main contrib non-free
deb-src http://http.us.debian.org/debian/ testing main contrib non-free


#deb http://non-us.debian.org/debian-non-US testing/non-US main contrib non-free
#deb-src http://non-us.debian.org/debian-non-US testing/non-US main contrib non-free

# Unstable sources
deb http://http.us.debian.org/debian/ unstable main non-free contrib
#deb ftp://ftp.sonic.net/mirrors/debian/ unstable main contrib non-free
deb-src http://http.us.debian.org/debian/ unstable main non-free contrib


#deb http://non-us.debian.org/debian-non-US unstable/non-US main contrib non-free
#deb-src http://non-us.debian.org/debian-non-US unstable/non-US main contrib non-free

# Stable sources
#deb http://http.us.debian.org/debian stable main contrib non-free
#deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free
#deb http://security.debian.org stable/updates main contrib non-free
#deb-src http://http.us.debian.org/debian stable main contrib


# Special sources

# java ?
# broke one day
#deb ftp://ftp.tux.org/pub/java/debian unstable main non-free
#deb ftp://ftp.tux.org/pub/java/debian testing main non-free

#experimental UAE
deb http://www.rcdrummond.net/uae sid main

# various contraband
deb ftp://ftp.nerim.net/debian-marillat/ etch main
deb ftp://ftp.nerim.net/debian-marillat/ sid main


# dotgnu
# not using anymore
#deb-src http://mentors.debian.net/debian unstable main
#deb http://mentors.debian.net/debian unstable main

# cross compilers
#deb http://debian.speedblue.org ./
# down

# mrxvt, (some other stuff like libtorrent.. whatever)
deb http://mayhq.org/deb/ ./
deb-src http://mayhq.org/deb/ ./

# xmms2 development versions
# this shit is not working! host down
#deb http://exodus.xmms.se/debian stable main
#deb http://exodus.xmms.se/debian testing main


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-jsr
Locale: LANG=C, LC_CTYPE=C (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US.iso88591)

Versions of packages apt depends on:
ii  libc6                         2.3.5-8    GNU C Library: Shared libraries an
ii  libgcc1                       1:4.0.2-5  GCC support library
ii  libstdc++6                    4.0.2-5    The GNU Standard C++ Library v3

apt recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345823; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 345823@bugs.debian.org (full text, mbox):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Joshua Rodman <jrodman@debbugs.spamportal.net>, 345823@bugs.debian.org
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one
Date: Wed, 4 Jan 2006 03:01:35 +0100
On Tue, Jan 03, 2006 at 10:58:28AM -0800, Joshua Rodman wrote:
> Since the year has turned over, apt-get update now produces the error: 
> [...]
> Reading package lists... Done
> W: GPG error: http://http.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
> W: GPG error: http://http.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

Fwiw, the Release.gpg file contains two signatures now, both one with the
2005 key and the 2006 key, to have a short transition period. The archive
still validates with the 2005 key, which isn't expired yet, and I think APT
should not spread too worrysome errors at users while the archive can still
be verified. Only when the 2005 expires and the user still hasn't imported
the 2006 key (some mechanism needs to be implemented for that for it to
happen cleanly and in a user-frienly way) apt should really bail out on the
user.

--Jeroen

-- 
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345823; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #15 received at 345823@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 345823@bugs.debian.org
Subject: apt multiple sig behavior
Date: Tue, 3 Jan 2006 22:50:41 -0500
[Message part 1 (text/plain, inline)]
FWIW, apt's behavior with Release files with multiple signatures is the
same as gpgv's:

joey@dragon:~>gpgv --keyring ~/trusted.gpg Release.gpg Release
gpgv: Signature made Tue Jan  3 16:20:45 2006 EST using DSA key ID 4F368D5D
gpgv: Good signature from "Debian Archive Automatic Signing Key (2005) <ftpmaster@debian.org>"
gpgv: Signature made Tue Jan  3 16:20:45 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>"

now if I remove the old key:

joey@dragon:~>gpgv --keyring ~/trusted.gpg Release.gpg Release
gpgv: Signature made Tue Jan  3 16:20:45 2006 EST using DSA key ID 4F368D5D
gpgv: Can't check signature: public key not found
gpgv: Signature made Tue Jan  3 16:20:45 2006 EST using DSA key ID 2D230C5F
gpgv: Good signature from "Debian Archive Automatic Signing Key (2006) <ftpmaster@debian.org>"
zsh: exit 2     gpgv --keyring ~/trusted.gpg Release.gpg Release

So multiply signed Release files will also break d-i, which uses gpg
as above.

debootstrap, which also uses gpgv, parses the output of its --status-fd
option, and will succeed as long as one signature is valid.

I'm working on making d-i use the same technique as debootstrap now.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Severity set to `serious'. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: d-i Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 345823 345891. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345823; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Joshua Rodman <jrodman@debbugs.spamportal.net>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #26 received at 345823@bugs.debian.org (full text, mbox):

From: Joshua Rodman <jrodman@debbugs.spamportal.net>
To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Cc: 345823@bugs.debian.org
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one
Date: Wed, 4 Jan 2006 02:41:30 -0800
On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> Fwiw, the Release.gpg file contains two signatures now, both one with the
> 2005 key and the 2006 key, to have a short transition period. The archive
> still validates with the 2005 key, which isn't expired yet, and I think APT
> should not spread too worrysome errors at users while the archive can still
> be verified.

Not to contradict you, since my understanding of these issues is
strongly limited, but apt seems to think that it cannot validate the
archive?

Running: su -c "apt-get upgrade"
[...]
The following packages will be upgraded:
  liboil0.3 libsensors3 libssl-dev libssl0.9.8 lm-sensors manpages manpages-dev openssl unzip
[...]
WARNING: The following packages cannot be authenticated!
  libssl-dev openssl libssl0.9.8 manpages manpages-dev liboil0.3 libsensors3 unzip lm-sensors

If understand that the whole release is what is signed, and that then
the urls in the release are therefore trusted (I assume with md5
checksum), then it seems APT does not beleive the release is signed with
the 2005 key, or does not know how to 'fall back' to the 2005 key.

-josh



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345823; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Edward Buck <ed@bashware.net>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #31 received at 345823@bugs.debian.org (full text, mbox):

From: Edward Buck <ed@bashware.net>
To: 345823@bugs.debian.org
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one
Date: Wed, 04 Jan 2006 03:47:03 -0800
I came across the same error this morning. The part that was rather
frustrating is that I had no idea where to find the new key.  Only by
returning to the bug report (where Joey H provided a link) was I able to
find it.

http://ftp-master.debian.org/ziyi_key_2006.asc

Most users do not think to check ftp-master.

It would be nice to update the following places (where I looked for the
new key and found none):

* http://www.debian.org/security/faq

There's a link to the old key under Q: How can I check the integrity of
packages?

* keyring.debian.org

I tried to download the new key from the above key server using the key
id and found none.

Also, 'apt-key update' gives one the impression that the problem is
easily fixable but it leads to disappointment.

# apt-key update
ERROR: Can't find the archive-keyring
Is the debian-keyring package installed?

After installing debian-keyring, the same error occurs (presumably
because of changed filenames?).  I suspect the new public key is not in
the debian-keyring package anyway.

Regards,
Ed



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345823; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #36 received at 345823@bugs.debian.org (full text, mbox):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Joshua Rodman <jrodman@debbugs.spamportal.net>
Cc: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 345823@bugs.debian.org
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one
Date: Wed, 4 Jan 2006 13:26:26 +0100
On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote:
> On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> > Fwiw, the Release.gpg file contains two signatures now, both one with the
> > 2005 key and the 2006 key, to have a short transition period. The archive
> > still validates with the 2005 key, which isn't expired yet, and I think APT
> > should not spread too worrysome errors at users while the archive can still
> > be verified.
> 
> Not to contradict you, since my understanding of these issues is
> strongly limited, but apt seems to think that it cannot validate the
> archive?

I know, I said "should", because I believe apt should deal with the
multiple signatures correctly, instead of the current behaviour of (it
seems) only looking at the last one and/or requiring all signatures to
verify.

Apt needs to be satisfied with just at least one of the multiple
signatures verifying, so that there can be turnover periods, and for
example third party repositories can have multiple signatures too, for
certain circumstances.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345823; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Daniel Leidert <daniel.leidert.spam@gmx.net>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #41 received at 345823@bugs.debian.org (full text, mbox):

From: Daniel Leidert <daniel.leidert.spam@gmx.net>
To: 316344@bugs.debian.org, 345823@bugs.debian.org
Cc: James Troup <keyring-maint@debian.org>, APT Development Team <deity@lists.debian.org>
Subject: Re: Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one
Date: Wed, 04 Jan 2006 13:40:09 +0100
Am Mittwoch, den 04.01.2006, 03:47 -0800 schrieb Edward Buck:

xpost to #345823 and #316344

[..]
> I tried to download the new key from the above key server using the key
> id and found none.
> 
> Also, 'apt-key update' gives one the impression that the problem is
> easily fixable but it leads to disappointment.
> 
> # apt-key update
> ERROR: Can't find the archive-keyring
> Is the debian-keyring package installed?
> 
> After installing debian-keyring, the same error occurs (presumably
> because of changed filenames?).  I suspect the new public key is not in
> the debian-keyring package anyway.

Yes. It is more than only a bit disappointing, that this bug is still
unfixed. There are at least 6 or 7 open bugs reports (the oldest with an
age of 188 days), talking about this problem. 

So a question to the apt and debian-keyring maintainers: What about

- updating debian-role-keys.gpg to contain the 2006 archiv key
- fixing apt-key to not try to read non-existing keyrings and instead
read debian-role-keys.gpg
- instead trying to remove all keys found in the non-existing
debian-archive-removed-keys.gpg, remove all keys, being expired and
found in debian-role-keys.gpg
- let apt-key update the keyring 1 month before the key expires (needs
updating the debian-role-keys.gpg also one month before a role key
expires)

OR

- add the missing /usr/share/keyrings/debian-archive-keyring.gpg
and /usr/share/keyrings/debian-archive-removed-keys.gpg now

Are there concerns or objections?

Regards, Daniel




Merged 345823 345891 346002. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `serious'. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `serious'. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 345823 345891 345956 346002. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345823; Package apt. Full text and rfc822 format available.

Acknowledgement sent to debian-unstable@myway.com:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #54 received at 345823@bugs.debian.org (full text, mbox):

From: "debian-unstable@myway.com" <debian-unstable@myway.com>
To: 345823@bugs.debian.org
Subject: Re: apt: Key error at year turnover resembles security problem, and may represent one
Date: Wed, 4 Jan 2006 19:09:29 -0500 (EST)
I use aptitude and I'm sure I don't know all the ins and outs here. But I do have a suggestion for your consideration:



Stop signing the archives with the 2006 key for now. That will allow those who have been using the 2005 key to continue getting updates.



After you have your fixes in place -- and the users have updated their systems with those fixes -- then you can add the 2006 key back in for archive-signing purposes. Maybe you would wait until Feb 1 to start using the 2006 key, for the sake of those who don't update their systems daily. Again, I admittedly don't know all of the ramifications.



I hope that you will, as a part of your fixes, enable users' copies of apt/keyrings to automatically be updated to use the 2006 key based on trust of the 2005 key which they are already using. That would be good for those who don't know about http://ftp-master.debian.org/ziyi_key_2006.asc.



Thank you for considering these possibilities.



Rodger Williams



_______________________________________________
No banners. No pop-ups. No kidding.
Make My Way  your home on the Web - http://www.myway.com





Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345823; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Michael Vogt <mvo@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #59 received at 345823@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvo@debian.org>
To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 345823@bugs.debian.org
Cc: Joshua Rodman <jrodman@debbugs.spamportal.net>
Subject: Re: Bug#345823: apt: Key error at year turnover resembles security problem, and may represent one
Date: Thu, 5 Jan 2006 23:36:47 +0100
On Wed, Jan 04, 2006 at 01:26:26PM +0100, Jeroen van Wolffelaar wrote:
> On Wed, Jan 04, 2006 at 02:41:30AM -0800, Joshua Rodman wrote:
> > On Wed, Jan 04, 2006 at 03:01:35AM +0100, Jeroen van Wolffelaar wrote:
> > > Fwiw, the Release.gpg file contains two signatures now, both one with the
> > > 2005 key and the 2006 key, to have a short transition period. The archive
> > > still validates with the 2005 key, which isn't expired yet, and I think APT
> > > should not spread too worrysome errors at users while the archive can still
> > > be verified.
> > 
> > Not to contradict you, since my understanding of these issues is
> > strongly limited, but apt seems to think that it cannot validate the
> > archive?
> 
> I know, I said "should", because I believe apt should deal with the
> multiple signatures correctly, instead of the current behaviour of (it
> seems) only looking at the last one and/or requiring all signatures to
> verify.
> 
> Apt needs to be satisfied with just at least one of the multiple
> signatures verifying, so that there can be turnover periods, and for
> example third party repositories can have multiple signatures too, for
> certain circumstances.

Sorry for the late reply. I'm working on fixing the gpgv method to
properly support multiple signatures right now and will (hopefully) do
a upload really soon.

Cheers,
 Michael

-- 
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo



Merged 345823 345891 345956 346002 347540. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345823; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #66 received at 345823@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 345823@bugs.debian.org
Subject: shouldn't this bug be closed?
Date: Tue, 7 Mar 2006 20:01:30 -0500
[Message part 1 (text/plain, inline)]
mvo wrote:
> Sorry for the late reply. I'm working on fixing the gpgv method to
> properly support multiple signatures right now and will (hopefully) do
> a upload really soon.

And the next day uploaded apt 0.6.43.1 with:

  * deal with multiple signatures on a Release file

And AFAIK we've thuroughly sorted out the other issues, so I see no
reason for this RC bug to remain open.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Reply sent to Joey Hess <joeyh@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joshua Rodman <jrodman@debbugs.spamportal.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #71 received at 345823-done@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 345823-done@bugs.debian.org
Subject: closing this bug
Date: Tue, 30 May 2006 13:38:13 -0400
[Message part 1 (text/plain, inline)]
Version: 0.6.43.1

I don't think this bug needs to remain open, like I said before. If you
disagree, feel free to reopen it.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Reply sent to Joey Hess <joeyh@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Reply sent to Joey Hess <joeyh@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Emil Nowak <emil5@go2.pl>:
Bug acknowledged by developer. Full text and rfc822 format available.

Reply sent to Joey Hess <joeyh@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Ferenczi Viktor <letezo@fw.hu>:
Bug acknowledged by developer. Full text and rfc822 format available.

Reply sent to Joey Hess <joeyh@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to jetxee <jetxee@gmail.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 08:57:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 02:04:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.