Re: Fwd: jessie backport for Wordpress
On Sun, 26 Jul 2015, Rodrigo Campos wrote:
> On Sun, Jul 26, 2015 at 02:35:19PM +0100, Adam D. Barratt wrote:
> > On Sun, 2015-07-26 at 16:53 +1000, Craig Small wrote:
> > > On Fri, Jul 24, 2015 at 06:59:09PM +0100, Rodrigo Campos wrote:
> > > > > Craig, would you like to sponsor it? It's in mentors.
> > > > Ping Craig? :)
> > > I'm here, I uploaded it yesterday but I have not heard anything back
> > > from dinstall for either it or the wordpress update. It's all very
> > > mysterious.
> >
> > The queued log on ftp-master says:
> >
> > Jul 24 11:41:19 processing /wordpress_4.2.3+dfsg-1_amd64.changes
> > Jul 24 11:41:19 GnuPG signature check failed on wordpress_4.2.3+dfsg-1_amd64.changes
> > Jul 24 11:41:19 /wordpress_4.2.3+dfsg-1_amd64.changes has bad PGP/GnuPG signature!
> > [...]
> > Jul 24 22:50:11 processing /wordpress_4.2.2+dfsg-1~bpo8+1_amd64.changes
> > Jul 24 22:50:11 GnuPG signature check failed on wordpress_4.2.2+dfsg-1~bpo8+1_amd64.changes
> > Jul 24 22:50:11 /wordpress_4.2.2+dfsg-1~bpo8+1_amd64.changes has bad PGP/GnuPG signature!
> >
> > If the gpg check fails then you won't get a notification, as the archive
> > can't be sue who actually performed the upload.
>
> Oh, great. And who should sign, then? Me or Craig that is the sponsor?
>
> That one is signed by me, but I haven't upload my key to any place except
> mentors. If it's me, is it uploading to some place enough? Or should I also get
> some other people to verify me for it to be usable in this?
JFTR, I expect CVE-2015-5623 and CVE-2015-5622 [1] fixed before you upload the
package to bpo. Please don't upload packages with known security problems.
Alex
[1] https://security-tracker.debian.org/tracker/source-package/wordpress
Reply to: