Launchpad itself

keyserver.ubuntu.com port 80 vs 11371 and firewalls

Bug #524416 reported by Niall Gallagher
88
This bug affects 44 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Invalid
Undecided
Unassigned

Bug Description

keyserver.ubuntu.com does not listen on port 80, only port 11371 which prevents people in organisations with firewalls from accessing it.

This issue has affected me in both my current company and my previous one when trying to add PPA repositories to my ubuntu install. These companies are not draconian, they just run standard firewalls.

There is a question on this issue here: https://answers.launchpad.net/launchpad/+question/79193
and a mailing-list discussion called "On apturls and repositories" here: https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2009-June/thread.html#8444

I can't find an existing bug report for this, just this similar issue for gpg: https://bugs.launchpad.net/launchpad/+bug/459519

According to the answer to the question linked above, the issue is that the default port of an SKS keyserver is 11371.

However I see that SKS keyserver software has an option to also run on port 80:
http://minskyprimus.net/sks/sks-man.html

"-use_port_80
Have the HKP interface listen on port 80, as well as the hkp_port."

...so the question is why is keyserver.ubuntu.com not configured to also listen on port 80?

I realise we are dealing with the HKP protocol not HTTP, but if it would make ubuntu keyservers a lot more friendly with organisational firewalls by listening on port 80, can ubuntu consider doing that?

Currently to import a PPA key I use web proxy sites to access the keyserver on my behalf, then I copy and paste the PPA key from the proxy site into a file and I import it manually. It's a very involved process.

Alternatively perhaps we could add some workaround to the ubuntu "adding a PPA" process, for example add a web interface which displays public keys as text, which people can then saved to a file and import manually. This would avoid people having to use web proxy sites at least.

Finally I see a suggestion here: http://cprov.blogspot.com/2009/06/your-firewall-does-not-like.html
...which involves setting up an SSH tunnel over port 22 to the keyserver. Again this is a very involved workaround.

It would be nice if the keyservers were just accessible without such workarounds.

Revision history for this message
Rolf Leggewie (r0lf) wrote :

opening http://keyserver.ubuntu.com shows an Apache page. So, it looks like something is already running on port 80.

In any case, your issue is probably more suitable to be raised in http://rt.ubuntu.com user/pw ubuntu/ubuntu

Revision history for this message
Jeroen T. Vermeulen (jtv) wrote :

I'll have to mark this bug ticket as Invalid to get it off the wrong people's to-do lists. It will stay around however, so you can continue to refer to it in RT.

Changed in launchpad:
status: New → Invalid
Revision history for this message
Niall Gallagher (npgall) wrote :

Created an issue in rt.ubuntu.com: https://rt.ubuntu.com/Ticket/Display.html?id=10550

Revision history for this message
Niall Gallagher (npgall) wrote :

For future reference the ubuntu.com team have agreed to and rolled out the changes, so keyserver.ubuntu.com now does also listen on port 80.

Revision history for this message
Niall Gallagher (npgall) wrote :

Related discussion: https://answers.launchpad.net/ubuntu-website/+question/79193

Related bug: "add-apt-repository should have option to use port 80" - https://bugs.launchpad.net/ubuntu/+bug/716438

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.