[Bug 1013681] Re: make apt-key net-update secure
Dimitri John Ledkov
launchpad at surgut.co.uk
Tue Jul 18 16:27:48 UTC 2017
Whilst poking all of this a while back, my thought was to use inline
signed keyring snippet which is downloaded probably with the apt-helper,
validated (well gpgv decrypt) and stored as
/etc/apt/trusted.gpg.d/netupdate.gpg. Since we no longer need to touch
/etc/apt/trusted.gpg keyring. This doesn't even need to live in apt-key
netupdate, and could be just a timer unit. But i guess having this
simple logic in apt-key script may make sense.
Note that netupdate has been disabled for a long while now, thus any
reintroduction will need security team review before we enable.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1013681
Title:
make apt-key net-update secure
Status in apt package in Ubuntu:
Triaged
Status in apt package in Debian:
New
Bug description:
Attacks are being performed against the 'apt-key net-update' command
and it is not considered secure. While it is in the process of being
disabled in Ubuntu, it should be improved to be secure.
References:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013639
http://seclists.org/fulldisclosure/2011/Sep/222
http://seclists.org/fulldisclosure/2012/Jun/267
http://seclists.org/fulldisclosure/2012/Jun/271
http://seclists.org/fulldisclosure/2012/Jun/289
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013681/+subscriptions
More information about the foundations-bugs
mailing list