[Bug 1363482] Re: ubuntu-keyring includes 1024D keys
Peter Odding
peter at peterodding.com
Mon Oct 15 15:21:51 UTC 2018
Going over my notes on this topic I realized that I hadn't pointed out
in my previous message that the issue I've pointed out has already
triggered a workaround (that shouldn't be necessary IMHO) in the
pbuilder project:
https://bugs.launchpad.net/ubuntu/+source/pbuilder/+bug/599394
In my opinion neither pbuilder nor apt-mirror-updater should be
implementing workarounds for this issue, because there's lots more use
cases for debootstrap than just these two projects, and each will
require a workaround until my suggested change to debootstrap is
implemented.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482
Title:
ubuntu-keyring includes 1024D keys
Status in Ubuntu CD Images:
Fix Released
Status in ubuntu-keyring package in Ubuntu:
Fix Released
Bug description:
ubuntu-keyring as shipped in trusty contains old 1024D keys dating
back to 2004 which are still being trusted for the main archive:
% gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
pub 1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key <ftpmaster at ubuntu.com>
pub 1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key <cdimage at ubuntu.com>
Given that newer 4096R keys are present and have been in precise
(through -updates) and trusty, it seems to be about time to drop the
older keys. (In the hope that apt does not chose on signatures it
cannot verify, otherwise the publisher would need to stop signing with
the old key as well.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1363482/+subscriptions
More information about the foundations-bugs
mailing list