Version in base suite: 3.4.0-2 Base version: schleuder_3.4.0-2 Target version: schleuder_3.4.0-2+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/schleuder/schleuder_3.4.0-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/schleuder/schleuder_3.4.0-2+deb10u1.dsc changelog | 20 + patches/0017-mutt-protected-headers.patch | 87 +++- patches/0018-refresh_keys-no-list.patch | 26 + patches/0019-refresh-fetch-strip-non-self-sigs.patch | 339 +++++++++++++++++++ patches/series | 2 5 files changed, 457 insertions(+), 17 deletions(-) gpgv: Signature made Fri Jun 21 19:21:00 2019 UTC gpgv: using RSA key E29DD0FBEC9607D963BDAE0D5AD75B414EA41667 gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on /srv/release.debian.org/tmp/tmp2aspg_ia/schleuder_3.4.0-2.dsc diff -Nru schleuder-3.4.0/debian/changelog schleuder-3.4.0/debian/changelog --- schleuder-3.4.0/debian/changelog 2019-06-21 19:05:42.000000000 +0000 +++ schleuder-3.4.0/debian/changelog 2019-11-08 10:45:22.000000000 +0000 @@ -1,3 +1,23 @@ +schleuder (3.4.0-2+deb10u1) buster; urgency=medium + + * debian/patches: + - Extend existing patch which fixes problems related to the use of + "protected headers": Fix recognizing keywords in mails with "protected + headers" and empty subject. Previously, if the subject was unset, + keywords were not recognized and the original "protected headers" could + leak. + This approach, extending the existing patch, instead of adding a new + one, reduces noise and keeps the diff small, as the same part of the + code is targeted. + (Closes: #940524) + - Add patch to strip non-self-signatures when refreshing or fetching keys. + (Closes: #940526) + - Add patch to error out if the argument provided to `refresh_keys` is not + an existing list. + (Closes: #940527) + + -- Georg Faerber Fri, 08 Nov 2019 10:45:22 +0000 + schleuder (3.4.0-2) unstable; urgency=medium * debian/patches: diff -Nru schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch --- schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch 2019-06-21 19:05:42.000000000 +0000 +++ schleuder-3.4.0/debian/patches/0017-mutt-protected-headers.patch 2019-11-08 10:45:22.000000000 +0000 @@ -1,31 +1,45 @@ -Description: Handle protected headers produced by Mutt 1.12.0 +Description: Fix various problems related to protected headers Mutt 1.12.0, which was recently released, introduced protected headers. These headers are just contained within the plain body of a mail produced by Mutt, they are not further wrapped into a specifically marked MIME-part. Schleuder fails to handle such messages, accordingly, this patch fixes this behaviour. + + Further, this patch fixes recognizing keywords in mails with protected + headers and empty subject: Previously, if the subject was unset, keywords + were not recognized and the original "protected headers" could leak. + (Closes: #940524) Origin: upstream Forwarded: not-needed -Applied-Upstream: 0651daf54a520906583aa6de4bb3854575fcb963 -Last-Update: 2019-06-20 +Applied-Upstream: 0651daf54a520906583aa6de4bb3854575fcb963 395a789a18e7e7e6b57af663ed70a51d6c7d1ba2 +Last-Update: 2019-11-08 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: schleuder/lib/schleuder/mail/message.rb =================================================================== ---- schleuder.orig/lib/schleuder/mail/message.rb -+++ schleuder/lib/schleuder/mail/message.rb -@@ -55,7 +55,7 @@ module Mail +--- schleuder.orig/lib/schleuder/mail/message.rb 2019-11-08 09:29:36.739321755 +0000 ++++ schleuder/lib/schleuder/mail/message.rb 2019-11-08 09:29:36.735321752 +0000 +@@ -53,13 +53,12 @@ + # headers, which reveals protected subjects. + if self.subject != new.subject new.protected_headers_subject = self.subject.dup - - # Delete the protected headers which might leak information. +- +- # Delete the protected headers which might leak information. - if new.parts.first.content_type == "text/rfc822-headers; protected-headers=v1" -+ if new.parts.first && new.parts.first.content_type == "text/rfc822-headers; protected-headers=v1" - new.parts.shift - end +- new.parts.shift +- end end + ++ # Delete the protected headers which might leak information. ++ if new.parts.first && new.parts.first.content_type == "text/rfc822-headers; protected-headers=v1" ++ new.parts.shift ++ end + + new + end Index: schleuder/spec/fixtures/mutt_protected_headers.txt =================================================================== ---- /dev/null -+++ schleuder/spec/fixtures/mutt_protected_headers.txt +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ schleuder/spec/fixtures/mutt_protected_headers.txt 2019-11-08 09:29:36.735321752 +0000 @@ -0,0 +1,47 @@ +From schleuder@example.org Thu Jun 13 15:19:33 2019 +Received: from 127.0.0.1 (helo=localhost.localdomain) @@ -76,10 +90,10 @@ +--z6Eq5LdranGa6ru8-- Index: schleuder/spec/schleuder/integration/protected_headers_spec.rb =================================================================== ---- schleuder.orig/spec/schleuder/integration/protected_headers_spec.rb -+++ schleuder/spec/schleuder/integration/protected_headers_spec.rb -@@ -85,4 +85,26 @@ describe "protected subject" do - +--- schleuder.orig/spec/schleuder/integration/protected_headers_spec.rb 2019-11-08 09:29:36.739321755 +0000 ++++ schleuder/spec/schleuder/integration/protected_headers_spec.rb 2019-11-08 09:29:36.735321752 +0000 +@@ -85,4 +85,65 @@ + teardown_list_and_mailer(list) end + @@ -104,4 +118,43 @@ + + teardown_list_and_mailer(list) + end ++ ++ it "recognizes keywords in mails with protected headers and empty subject" do ++ list = create(:list) ++ list.subscribe("schleuder@example.org", '59C71FB38AEE22E091C78259D06350440F759BD3', true) ++ ENV['GNUPGHOME'] = list.listdir ++ mail = Mail.new ++ mail.to = list.request_address ++ mail.from = list.admins.first.email ++ gpg_opts = { ++ encrypt: true, ++ keys: {list.request_address => list.fingerprint}, ++ sign: true, ++ sign_as: list.admins.first.fingerprint ++ } ++ mail.gpg(gpg_opts) ++ mail.body = "x-list-name: #{list.email}\nx-list-keys" ++ protected_headers = Mail::Part.new do ++ body "Subject: protected" ++ content_type "text/rfc822-headers; protected-headers=v1" ++ end ++ mail.add_part protected_headers ++ mail.deliver ++ ++ encrypted_mail = Mail::TestMailer.deliveries.first ++ Mail::TestMailer.deliveries.clear ++ ++ begin ++ Schleuder::Runner.new().run(encrypted_mail.to_s, list.request_address) ++ rescue SystemExit ++ end ++ raw = Mail::TestMailer.deliveries.first ++ message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup ++ ++ expect(message.first_plaintext_part.body.to_s).to include("59C71FB38AEE22E091C78259D06350440F759BD3") ++ expect(message.first_plaintext_part.body.to_s).to_not include("Your message didn't contain any keywords, thus there was nothing to do.") ++ ++ teardown_list_and_mailer(list) ++ end ++ end diff -Nru schleuder-3.4.0/debian/patches/0018-refresh_keys-no-list.patch schleuder-3.4.0/debian/patches/0018-refresh_keys-no-list.patch --- schleuder-3.4.0/debian/patches/0018-refresh_keys-no-list.patch 1970-01-01 00:00:00.000000000 +0000 +++ schleuder-3.4.0/debian/patches/0018-refresh_keys-no-list.patch 2019-11-08 10:45:22.000000000 +0000 @@ -0,0 +1,26 @@ +Description: Show error if list for `refresh_keys` does not exist. +Origin: , +Last-Update: 2019-11-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: schleuder/lib/schleuder/cli.rb +=================================================================== +--- schleuder.orig/lib/schleuder/cli.rb 2019-11-03 20:13:16.127752282 +0000 ++++ schleuder/lib/schleuder/cli.rb 2019-11-03 20:13:16.123752314 +0000 +@@ -320,10 +320,13 @@ + private + + def work_on_lists(subj, list=nil) +- selected_lists = if list.nil? +- List.all ++ if list.nil? ++ selected_lists = List.all + else +- List.where(email: list) ++ selected_lists = List.where(email: list) ++ if selected_lists.blank? ++ error("No list with this address exists: #{list.inspect}") ++ end + end + + selected_lists.each do |list| diff -Nru schleuder-3.4.0/debian/patches/0019-refresh-fetch-strip-non-self-sigs.patch schleuder-3.4.0/debian/patches/0019-refresh-fetch-strip-non-self-sigs.patch --- schleuder-3.4.0/debian/patches/0019-refresh-fetch-strip-non-self-sigs.patch 1970-01-01 00:00:00.000000000 +0000 +++ schleuder-3.4.0/debian/patches/0019-refresh-fetch-strip-non-self-sigs.patch 2019-11-08 10:45:22.000000000 +0000 @@ -0,0 +1,339 @@ +Description: Strip non-self-signatures when refreshing or fetching keys if possible. +Origin: , , +Last-Update: 2019-11-03 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: schleuder/lib/schleuder/cli.rb +=================================================================== +--- schleuder.orig/lib/schleuder/cli.rb 2019-11-03 19:15:19.000000000 +0000 ++++ schleuder/lib/schleuder/cli.rb 2019-11-03 19:21:53.632021708 +0000 +@@ -67,6 +67,7 @@ + + desc 'refresh_keys [list1@example.com]', "Refresh all keys of all list from the keyservers sequentially (one by one or on the passed list). (This is supposed to be run from cron weekly.)" + def refresh_keys(list=nil) ++ GPGME::Ctx.send_notice_if_gpg_does_not_know_import_filter + work_on_lists(:refresh_keys,list) + permission_notice + end +@@ -324,6 +325,7 @@ + else + List.where(email: list) + end ++ + selected_lists.each do |list| + I18n.locale = list.language + output = list.send(subj) +Index: schleuder/lib/schleuder/gpgme/ctx.rb +=================================================================== +--- schleuder.orig/lib/schleuder/gpgme/ctx.rb 2019-11-03 18:33:31.852282869 +0000 ++++ schleuder/lib/schleuder/gpgme/ctx.rb 2019-11-03 19:21:53.632021708 +0000 +@@ -103,7 +103,7 @@ + end + + def refresh_key(fingerprint) +- args = "#{keyserver_arg} --refresh-keys #{fingerprint}" ++ args = "#{keyserver_arg} #{import_filter_arg} --refresh-keys #{fingerprint}" + gpgerr, gpgout, exitcode = self.class.gpgcli(args) + + if exitcode > 0 +@@ -136,7 +136,8 @@ + arguments, error = fetch_key_gpg_arguments_for(input) + return error if error + +- gpgerr, gpgout, exitcode = self.class.gpgcli(arguments) ++ self.class.send_notice_if_gpg_does_not_know_import_filter ++ gpgerr, gpgout, exitcode = self.class.gpgcli("#{import_filter_arg} #{arguments}") + + # Unfortunately gpg doesn't exit with code > 0 if `--fetch-key` fails. + if exitcode > 0 || gpgerr.grep(/ unable to fetch /).presence +@@ -270,5 +271,25 @@ + "" + end + end ++ ++ def self.gpg_knows_import_filter? ++ sufficient_gpg_version?('2.1.15') ++ end ++ ++ def import_filter_arg ++ if self.class.gpg_knows_import_filter? ++ %{ --import-filter drop-sig='sig_created_d > 0000-00-00'} ++ end ++ end ++ ++ def self.send_notice_if_gpg_does_not_know_import_filter ++ if ! gpg_knows_import_filter? ++ Schleuder.logger.notify_superadmin( ++ subject: 'Schleuder installation problem', ++ message: "Your version of GnuPG is very old, please update!\n\nWith your version of GnuPG we can not protect your setup against signature flooding. Please update to at least version 2.1.15 to fix this problem. See for details on the background." ++ ) ++ '' ++ end ++ end + end + end +Index: schleuder/spec/fixtures/openpgp-keys/public-key-with-third-party-signature.txt +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ schleuder/spec/fixtures/openpgp-keys/public-key-with-third-party-signature.txt 2019-11-03 19:21:53.632021708 +0000 +@@ -0,0 +1,41 @@ ++-----BEGIN PGP PUBLIC KEY BLOCK----- ++ ++mQENBEudENYBCADPG94KbqEUQSv3yKbn7Oh/ky0Wn0QTgeTAB/T+oP5au9I/5CnS ++/Rgd8M4k4n/g9orPDfZ1kp3G0sMphLs5XFh9rdtk4iZUVDdU20nfB1lHGMZreGfv ++mhWyYs7GlitFPHGhJUSdQ6kmxR5MjnfE8S+nXYVWkthHxaU21NIkXGyGWcTCc4ML ++8BbJAsgZt2QCWE+l4OO04GoLJtttug8a2RqAuzGHit2+yc8Zv9HAwUjexrw+KZhI ++TnTOiT4aF5XZmVJyPYAaksjKtAXbkR7nWDWi4yTTm6VFEN6Jpajk3CEqBuyFJW+Y +++60oXjf8ktwughxiV5IJCljlDoX1BDPJXw7XABEBAAG0EGJsYWJsYSA8YmxhQGZv ++bz6JATgEEwECACIFAkudENYCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ ++EOvb6JklHyQSklQH/iavy1ercHoF7VI71b9iSrRHvlYDEnwED9y3p2ZNtOiR3dBX ++6/vFErWoLnaIRSXfsUMnMtJxuxIwu0xCXmGxzzXqX1HFjZk6ofG7eajL/JC+ugAg ++0ZNsHHBrBfgaWypyO7QSZyZDlEog7Yk6/Dji1fv0RZsqKo4kF+Fc5HsUyw7yN22K ++yjCjdu+KCgnMA6D1GLG++AirWnWxQW1CCqykuzXIMy2Z040zu8q9hv/m4m+0IXuS ++eFCkcrN2taP3bY+Ynn8r2X6ZV9xhMOJ13ylqn7hCebH1QsGxfIN2mfFesrUbuLb4 ++9KSr0qQBkYG81xOfBemCAJNu5pzQBGebgp9siX6JAjMEEAEIAB0WIQRZxx+ziu4i ++4JHHglnQY1BED3Wb0wUCXV0WvwAKCRDQY1BED3Wb0673EACt9iZwT6/bjK+Yl/Qb ++vlT5/DS8oOOPHo8XLBuGarET12cP+TYTLWZ9ZihlmTrNz8Nwfrgd4m0hTIyGe3z/ ++eq4IoZaB9Z31EA2sr/rOqeyJ5f7kcJMdfCdG0DzYkcb/rf73aLbSeyjwn5cXeNx/ ++m1aBBvp0eIccSti1cunESydkHmHePWm4dTnE85+RwDyraRg3eTOc7axTxBn0ltCS ++q29MVpwBykKKpSibbOjwlu30kazOMTMGKFo+4YEaa4t4LFkf/hpGF7/A8RrXJT4C ++d0UyEXFZz5bYy/Rj5/6AYjJDe4ET3BwvYXNoBfI5T207z34fT6DuM1Q/fVHEbxAB ++Kj92y/PYCmnIjrDT9nx82R5bxzk9aPcJgjSL1k/Ve9YaZm/8yexlUu5uBdQDW94S ++Yw13IfIBoc39qAVL43HGHfNhc4jYJhnBMe/uz80xhQhUTPABuvamj8QC/oYD+g7s ++Rq/mkVFx8acStmMt5LOdwSBWmMejSCYvfgxE/xk17R9/Ro4AaoruVy/Q9M1pfUe7 ++P92g90iZIvgFLxD2UTn70y7ZbWkCAFZ7qmgdWUmGbb2PpRgZunLN5XJe+0IKOPo9 ++nYgyzi4LjldW8GjZSeFZzdRl3KpMYLZFyos9myZnccozXG2iYzqQynmO+hx743xQ ++aBQ7Y5pQsHQJYsbjlz/FzopJ4rkBDQRLnRDWAQgAzHRQqv4frdtdGEH5H8imfqeP ++PdicQBSExhSBm556HkxHB/UIldc90nRq9ZF1sPrz1PSqG7AczDSIB5tHE85PN1tp ++SI3NeVL72R8m78ARtEUk+jUyCIMmvveUukxYdTFYdJEL85KhJgD8AcGuJOivFpam ++ZzsDWt90LXexU+rztNFfwwuFFc6USKvIP4B4ziuZa8FZmKWM+5M5rt1AGQ7lRJiS ++SJqaWR8doEYR8V2JZUE/pcgWKLEUNQvUEqwiaGnKG3n1otvgFquEjF+3XvE+agM1 ++U4aPeTT/GQUkS/o3tu0HwjkN9yN05ncJh3w6umub51k9qOdl5pLyx17meCNNlwAR ++AQABiQEfBBgBAgAJBQJLnRDWAhsMAAoJEOvb6JklHyQSLM8H/jHFy+bb2KxMihUS ++0Rc2TOznz1gdqtUo2cHWtsFHIH6n+aF2GNvvNVIg+savCyzSTMKLTSwdivdrvQxs ++p8zx8CgWvZ32KShRV8GXW1XEI0f7oVjGnyDW9w2ZxMx+wCsWcWLYxA6uck2RRq0C ++6msCi44sQCmIaBPLpCKRWmzFg9RP4FcdM/+8pb5+D+smrzu5va8i6HB0jTixpNEO ++PuNjNCxNYNWbBpN3fNyi/wf0QvsMZS51nGLe3iQV87CoHNtD98d84YUFY57XEzsS ++Z1LQamWyzWkCdj4y5KJwPT+Pv+1afvAl6Uy5NfFzNIcz7hWz9jDzpK9UmEprcb/V ++QKfPPOk= ++=EqIC ++-----END PGP PUBLIC KEY BLOCK----- +Index: schleuder/spec/schleuder/integration/cli_spec.rb +=================================================================== +--- schleuder.orig/spec/schleuder/integration/cli_spec.rb 2019-11-03 18:33:31.852282869 +0000 ++++ schleuder/spec/schleuder/integration/cli_spec.rb 2019-11-03 19:21:53.632021708 +0000 +@@ -159,9 +159,8 @@ + dirmngr_pid = `pgrep -a dirmngr | grep #{list.listdir}`.split(' ',2).first + expect(dirmngr_pid).to be_nil + end +- mail = Mail::TestMailer.deliveries.first ++ mail = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] } + +- expect(Mail::TestMailer.deliveries.length).to eq 1 + b = mail.first_plaintext_part.body.to_s + expect(b).to match(/Refreshing all keys from the keyring of list #{list.email} resulted in this:\n\n/) + expect(b).to match(/\nThis key was updated \(new signatures\):\n0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo \d{4}-\d{2}-\d{2} \[expired: \d{4}-\d{2}-\d{2}\]\n/) +@@ -181,9 +180,8 @@ + with_sks_mock do + Cli.new.refresh_keys list1.email + end +- mail = Mail::TestMailer.deliveries.first ++ mail = Mail::TestMailer.deliveries.find { |message| message.to == [list1.admins.first.email] } + +- expect(Mail::TestMailer.deliveries.length).to eq 1 + b = mail.first_plaintext_part.body.to_s + expect(b).to match(/Refreshing all keys from the keyring of list #{list1.email} resulted in this:\n\n/) + expect(b).to match(/\nThis key was updated \(new signatures\):\n0x98769E8A1091F36BD88403ECF71A3F8412D83889 bla@foo \d{4}-\d{2}-\d{2} \[expired: \d{4}-\d{2}-\d{2}\]\n/) +@@ -199,9 +197,8 @@ + list.import_key(File.read("spec/fixtures/expired_key.txt")) + + Cli.new.refresh_keys +- mail = Mail::TestMailer.deliveries.first ++ mail = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] } + +- expect(Mail::TestMailer.deliveries.length).to eq 1 + expect(mail.to_s).to include("Refreshing all keys from the keyring of list #{list.email} resulted in this") + if GPGME::Ctx.sufficient_gpg_version?('2.1') + expect(mail.to_s).to include("keyserver refresh failed: No keyserver available") +Index: schleuder/spec/schleuder/integration/keywords_spec.rb +=================================================================== +--- schleuder.orig/spec/schleuder/integration/keywords_spec.rb 2019-11-03 18:33:31.856283673 +0000 ++++ schleuder/spec/schleuder/integration/keywords_spec.rb 2019-11-03 19:21:53.632021708 +0000 +@@ -1427,7 +1427,7 @@ + rescue SystemExit + end + end +- raw = Mail::TestMailer.deliveries.first ++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] } + message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup + + expect(list.keys.size).to eql(list_keys_num + 1) +@@ -1463,7 +1463,7 @@ + rescue SystemExit + end + end +- raw = Mail::TestMailer.deliveries.first ++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] } + message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup + + expect(list.keys.size).to eql(list_keys_num) +@@ -1499,7 +1499,7 @@ + rescue SystemExit + end + end +- raw = Mail::TestMailer.deliveries.first ++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] } + message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup + + expect(list.keys.size).to eql(list_keys_num + 1) +@@ -1536,7 +1536,7 @@ + rescue SystemExit + end + end +- raw = Mail::TestMailer.deliveries.first ++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] } + message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup + + expect(list.keys.size).to eql(list_keys_num) +@@ -1572,7 +1572,7 @@ + rescue SystemExit + end + end +- raw = Mail::TestMailer.deliveries.first ++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] } + message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup + + expect(list.keys.size).to eql(list_keys_num) +@@ -1608,7 +1608,7 @@ + rescue SystemExit + end + end +- raw = Mail::TestMailer.deliveries.first ++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] } + message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup + + expect(list.keys.size).to eql(list_keys_num + 1) +@@ -1644,7 +1644,7 @@ + rescue SystemExit + end + end +- raw = Mail::TestMailer.deliveries.first ++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] } + message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup + + expect(list.keys.size).to eql(list_keys_num) +@@ -1680,7 +1680,7 @@ + rescue SystemExit + end + end +- raw = Mail::TestMailer.deliveries.first ++ raw = Mail::TestMailer.deliveries.find { |message| message.to == [list.admins.first.email] } + message = Mail.create_message_to_list(raw.to_s, list.request_address, list).setup + + expect(list.keys.size).to eql(list_keys_num) +Index: schleuder/spec/schleuder/unit/gpgme_ctx.rb +=================================================================== +--- schleuder.orig/spec/schleuder/unit/gpgme_ctx.rb 2019-11-03 18:33:31.856283673 +0000 ++++ schleuder/spec/schleuder/unit/gpgme_ctx.rb 2019-11-03 19:21:53.632021708 +0000 +@@ -227,5 +227,31 @@ + expect(mail.to_s).to match(/gpgkeys: .* error .* connect/) + end + end ++ ++ it 'does not import non-self-signatures if gpg >= 2.1.15; or else sends a warning' do ++ list = create(:list) ++ list.delete_key('87E65ED2081AE3D16BE4F0A5EBDBE899251F2412') ++ list.subscribe('admin@example.org', nil, true) ++ list.import_key(File.read('spec/fixtures/bla_foo_key.txt')) ++ ++ res = '' ++ with_sks_mock do ++ res = list.gpg.refresh_keys(list.keys) ++ end ++ # GPGME apparently does not show signatures correctly in some cases, so we better use gpgcli. ++ signature_output = list.gpg.class.gpgcli(['--list-sigs', '87E65ED2081AE3D16BE4F0A5EBDBE899251F2412'])[1].grep(/0F759BD3.*schleuder@example.org/) ++ ++ if GPGME::Ctx.sufficient_gpg_version?('2.1.15') ++ expect(res).to be_empty ++ expect(signature_output).to be_empty ++ else ++ message = Mail::TestMailer.deliveries.first ++ expect(message.to).to eql([Conf.superadmin]) ++ expect(message.subject).to eql('Schleuder installation problem') ++ expect(res).not_to be_empty ++ expect(signature_output).not_to be_empty ++ end ++ end ++ + end + end +Index: schleuder/spec/schleuder/unit/list_spec.rb +=================================================================== +--- schleuder.orig/spec/schleuder/unit/list_spec.rb 2019-11-03 18:33:31.856283673 +0000 ++++ schleuder/spec/schleuder/unit/list_spec.rb 2019-11-03 19:21:53.632021708 +0000 +@@ -525,6 +525,32 @@ + + teardown_list_and_mailer(list) + end ++ ++ it 'does not import non-self-signatures if gpg >= 2.1.15; or else sends a warning' do ++ list = create(:list) ++ list.delete_key('87E65ED2081AE3D16BE4F0A5EBDBE899251F2412') ++ list.subscribe('admin@example.org', nil, true) ++ output = '' ++ ++ with_sks_mock do ++ output = list.fetch_keys('87E65ED2081AE3D16BE4F0A5EBDBE899251F2412') ++ end ++ ++ # GPGME apparently does not show signatures correctly in some cases, so we better use gpgcli. ++ signature_output = list.gpg.class.gpgcli(['--list-sigs', '87E65ED2081AE3D16BE4F0A5EBDBE899251F2412'])[1].grep(/0F759BD3.*schleuder@example.org/) ++ ++ expect(output).to include("This key was fetched (new key):\n0x87E65ED2081AE3D16BE4F0A5EBDBE899251F2412 bla@foo") ++ if GPGME::Ctx.gpg_knows_import_filter? ++ expect(signature_output).to be_empty ++ else ++ message = Mail::TestMailer.deliveries.first ++ expect(message.to).to eql([Conf.superadmin]) ++ expect(message.subject).to eql('Schleuder installation problem') ++ expect(signature_output).not_to be_empty ++ end ++ ++ teardown_list_and_mailer(list) ++ end + end + + describe "send_list_key_to_subscriptions" do +Index: schleuder/spec/sks-mock.rb +=================================================================== +--- schleuder.orig/spec/sks-mock.rb 2019-11-03 18:33:31.856283673 +0000 ++++ schleuder/spec/sks-mock.rb 2019-11-03 19:21:53.632021708 +0000 +@@ -23,6 +23,8 @@ + File.read('spec/fixtures/olduid_key_with_newuid.txt') + when '0x59C71FB38AEE22E091C78259D06350440F759BD3' + File.read('spec/fixtures/default_list_key.txt') ++ when '0x87E65ED2081AE3D16BE4F0A5EBDBE899251F2412' ++ File.read('spec/fixtures/openpgp-keys/public-key-with-third-party-signature.txt') + else + 404 + end +Index: schleuder/lib/schleuder/logger_notifications.rb +=================================================================== +--- schleuder.orig/lib/schleuder/logger_notifications.rb 2019-11-03 18:33:31.852282869 +0000 ++++ schleuder/lib/schleuder/logger_notifications.rb 2019-11-03 19:25:11.711883679 +0000 +@@ -18,9 +18,14 @@ + notify_admin(string, original_message) + end + +- def notify_admin(thing, original_message=nil, subject='Error') ++ def notify_superadmin(message:, original_message: nil, subject: 'Error') ++ notify_admin(message, original_message, subject, superadmin) ++ end ++ ++ def notify_admin(thing, original_message=nil, subject='Error', recipients=nil) + # Minimize using other classes here, we don't know what caused the error. + msg_parts = convert_to_msg_parts(thing, original_message) ++ recipients ||= adminaddresses + Array(adminaddresses).each do |address, key| + mail = Mail.new + mail.from = @from diff -Nru schleuder-3.4.0/debian/patches/series schleuder-3.4.0/debian/patches/series --- schleuder-3.4.0/debian/patches/series 2019-06-21 19:05:42.000000000 +0000 +++ schleuder-3.4.0/debian/patches/series 2019-11-08 10:45:22.000000000 +0000 @@ -1,3 +1,5 @@ +0019-refresh-fetch-strip-non-self-sigs.patch +0018-refresh_keys-no-list.patch 0016-gemspec-update-sinatra.patch 0011-fix-for-activerecord-5.2.patch 0008-dirmngr-no-tor-standard-resolver.patch