Please support InRelease files
Bug #804252 reported by
Michael Vogt
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Low
|
Colin Watson | ||
ubuntu-archive-publishing |
Fix Released
|
Low
|
Colin Watson |
Bug Description
This is a splitout of bug #716535 into two features.
Debian has a new features for Release files that we should support as well:
InRelease
That is just the release file with a inline signature (e.g. http://
One nice property is that Release and Release.gpg can no longer get out-of-sync
Related bugs:
* bug 804252: Please support InRelease files
* bug 1430011: support apt by-hash mirrors
* bug 972077: apt repository disk format has race conditions
Related branches
lp:~cjwatson/launchpad/inline-release
- William Grant (community): Approve (code)
-
Diff: 133 lines (+52/-7)3 files modifiedlib/lp/archivepublisher/archivesigningkey.py (+9/-0)
lib/lp/archivepublisher/tests/archive-signing.txt (+23/-4)
lib/lp/archivepublisher/tests/test_publisher.py (+20/-3)
lp:~cjwatson/ubuntu-archive-publishing/inline-release
- Colin Watson: Approve
-
Diff: 19 lines (+12/-0)1 file modifiedpublish-distro.d/10-sign-releases (+12/-0)
lp:~cjwatson/charms/trusty/ubuntu-repository-cache/inline-release
- Charles Butler (community): Approve
- Dan Watkins (community): Approve
-
Diff: 12 lines (+1/-1)1 file modifiedtemplates/apache2/archive_ubuntu_com.conf (+1/-1)
Changed in launchpad: | |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in launchpad: | |
assignee: | nobody → Colin Watson (cjwatson) |
description: | updated |
Changed in ubuntu-archive-publishing: | |
assignee: | nobody → Colin Watson (cjwatson) |
Changed in launchpad: | |
status: | Triaged → In Progress |
Changed in ubuntu-archive-publishing: | |
status: | Triaged → In Progress |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
Changed in ubuntu-archive-publishing: | |
status: | In Progress → Fix Released |
To post a comment you must log in.
E-mail consensus appears to be:
* It is quite possibly not safe to deploy anything that generates inline signatures with the primary archive key until we no longer support Ubuntu 11.04, which was vulnerable to bug 784473 at release time (since attacks using the clearsigned material would be possible against users who have performed a fresh install and are in the process of upgrading).
* We should audit to make sure there are no other similar vulnerabilities in Ubuntu 11.10.
Thus, although I've written the code, we'll need to defer deploying this for the time being.