APT 2.8.4+: Promote weak key warnings to errors

> ⚠️ Only land this in the release pocket after PPAs have been resigned

I am marking this incomplete, as it is unclear to me what the intended timeline is for the resigning, or if your comment about the release pocket should also apply to -updates.

The same caveat applies to -updates, but there is a question of whether we should ship 2.8.0 as this or make 2.8.0 different, I did not push a tag for it yet.

i.e. given that this is a stable release update that will break PPAs users currently have warnings for, it might make sense to make it break that a couple months down the road after we have a transition period, i.e. we can "timebomb" things by making apt treat the weak keys as expiring in August (August because we really want this sorted out by the point release when the big wave of 22.04 users upgrades).

We could also introduce a new version of software-properties-common that adds PPA key refresh. We should then trigger that by apt postinst, or in the software-properties-common postinst. I do not believe we need to enforce a strict ordering relationship here, so 2.8.0 as is should technically be good to go.

It's understandable that breaking existing repositories in a stable release is not optimal, however the warnings don't work as a security mechanism - we do not show you which weak keys are trusted, just which weak keys were used to sign the repository:

Hence if you have a 1024R key and a 4096R that can sign a repository, but it's signed by the 4096R key now, you don't see the 1024R key, and an attacker could resign the repository with it and silently attack you.

So this is something we do need to target for the first point release; we want users upgrading from 22.04 to not end up in the transitional stage where they have warnings.

Hello Julian, or anyone else affected,

Accepted apt into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.8.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted apt (2.8.0) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

apport/2.28.1-0ubuntu2 (ppc64el)
auto-apt-proxy/14.1 (arm64)
autopkgtest/5.34ubuntu2 (amd64, arm64, ppc64el)
cron/3.0pl1-184ubuntu2 (s390x)
gcc-12/12.3.0-17ubuntu1 (armhf)
sbuild/0.85.7 (amd64, armhf, i386, s390x)
update-manager/1:24.04.6 (amd64, arm64, armhf, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Removing the block-proposed tag for oracular

This bug was fixed in the package apt - 2.9.3

---------------
apt (2.9.3) unstable; urgency=medium

  [ Julian Andres Klode ]
  * Initial implementation ("alpha") of the 3.0 solver:
    This new solver is available using the --solver 3.0 option.
    Highlights:
    - Fully backtracking solver, think DPLL without pure literal elimination
    - Manually installed packages are not offered up for removal
    - New --no-strict-pinning option allows APT to fallback to non-candidate
      versions, e.g. apt install --no-strict-pinning foo/experimental installs
      foo from experimental and will switch dependencies where needed.
    - Autoremove is more aggressive and only keeps the strongest automatically
      installed package. For example, gcc-<version> will now be offered for
      removal and no longer kept around due libtool Depends: gcc | c-compiler
      and gcc-<version> Provides: c-compiler, as `gcc` is already satisfied.
    Caveats right now:
    - Test suite is not yet passing
    - The list of automatically removable packages is not displayed
      when automatically installed packages are not removed
    - Error information gets lost on backtracking (see Debug::APT::Solver=2)
    - Error information is just rendered as A -> B implication graphs,
      with some nodes perhaps containing a "not".
    - The logic for replacing obsolete manually installed packages with
      new replacement packages (think Conflits/Replaces/Provides) is not
      yet implemented.
    - Conflict-driven clause learning is not implemented, so backtracking
      is technically pretty inefficient.
  * Solver3 integration fixes:
    - test: Ignore progress output in comparing output..
    - test-allow-scores-for-all-dependency-types: Adjust for solver3
    - EDSP: Add "solver3" alias for apt-internal-solver
  * UI work:
    - Highlight essential removals with action::remove color
    - The text of notices and audits shall not be bold
    - Separate columns by 2 spaces in lists (Closes: #1070064)
  * Support src:name shortcuts in showsrc, source, build-dep commands

  [ David Kalnischkies ]
  * Do not ignore if a cmake execute_process fails
  * Avoid figuring which kept pkgs are phased if we don't display it
  * Match version constraints before saving garbage packages
  * Do not upgrade rev-deps ear-marked for removal
  * Drop sudo-related envvars in testing framework
  * Add test for dealing with unsat Suggests promoted to Recommends
  * Allow parsing an empty Provides line (Closes: #1069874)

  [ Frans Spiesschaert ]
  * Dutch program translation update (Closes: #1070142)
  * Dutch manpages translation update (Closes: #1070143)

 -- Julian Andres Klode <email address hidden> Tue, 14 May 2024 13:01:31 +0200

Hello Julian, or anyone else affected,

Accepted apt into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.8.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

this upload is not to be accepted to -updates before the discussion on ubuntu-release@ is concluded

All autopkgtests for the newly accepted apt (2.8.1) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

apport/2.28.1-0ubuntu3 (s390x)
auto-apt-proxy/14.1 (armhf, s390x)
cron/3.0pl1-184ubuntu2 (arm64)
dgit/11.8 (arm64)
gcc-10/10.5.0-4ubuntu2 (arm64)
gcc-11/11.4.0-9ubuntu1 (armhf)
gcc-13/13.2.0-23ubuntu4 (arm64, armhf)
gcc-13/unknown (s390x)
gcc-14/14-20240412-0ubuntu1 (armhf)
gcc-snapshot/1:20240117-1ubuntu1 (arm64, armhf)
ubiquity/24.04.5 (armhf)
update-notifier/unknown (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

I discussed the plan for noble-updates and for 24.04.1 with Julian in detail yesterday. I think the plan is likely to be accepted by the SRU team. We're behind with the documentation, but I'm accepting the newest upload to noble-proposed now since time is tight. Julian will make sure that the full plan, test plan etc is documented in the near future.

Hello Julian, or anyone else affected,

Accepted apt into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.8.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted apt (2.8.2) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

apport/2.28.1-0ubuntu3.1 (armhf)
apt/2.8.2 (armhf, s390x)
auto-apt-proxy/14.1 (ppc64el, s390x)
cron/3.0pl1-184ubuntu2 (arm64, s390x)
dgit/11.8 (arm64, s390x)
gcc-11/11.4.0-9ubuntu1 (arm64)
gcc-12/12.3.0-17ubuntu1 (amd64, s390x)
gcc-13/13.2.0-23ubuntu4 (arm64, armhf)
gcc-14/unknown (armhf, s390x)
gcc-snapshot/1:20240117-1ubuntu1 (amd64, arm64, s390x)
open-build-service/unknown (armhf, s390x)
postgresql-debversion/unknown (s390x)
python-apt/unknown (s390x)
reportbug/unknown (s390x)
reprotest/unknown (s390x)
ubuntu-advantage-tools/unknown (s390x)
unattended-upgrades/unknown (s390x)
update-notifier/unknown (s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

All autopkgtests for the newly accepted apt (2.8.2) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

autopkgtest/5.34ubuntu2 (amd64, arm64, armhf)
update-manager/1:24.04.9 (amd64, arm64, armhf, i386, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Hello Julian, or anyone else affected,

Accepted apt into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apt/2.8.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted apt (2.8.3) for noble have finished running.
The following regressions have been reported in tests triggered by the package:

auto-apt-proxy/14.1 (s390x)
autopkgtest/5.38ubuntu1~24.04.1 (armhf)
ca-certificates-java/20240118 (ppc64el)
cron/3.0pl1-184ubuntu2 (ppc64el)
dgit/11.8 (ppc64el, s390x)
gcc-10/10.5.0-4ubuntu2 (ppc64el)
gcc-11/unknown (ppc64el)
gcc-12/unknown (ppc64el)
gcc-13/13.3.0-6ubuntu2~24.04 (ppc64el)
gcc-14/14.2.0-4ubuntu2~24.04 (ppc64el)
gcc-9/9.5.0-6ubuntu2 (ppc64el)
gcc-snapshot/unknown (ppc64el)
update-manager/1:24.04.9 (amd64, arm64, armhf, i386, ppc64el, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/noble/update_excuses.html#apt

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

As discussed before and documented in the bug description, we are ignoring this for verification purposes, and setting this to done. The bug will be reopened once the update has been released to be fixed properly in a future upload.

This bug was fixed in the package apt - 2.8.3

---------------
apt (2.8.3) noble; urgency=medium

  * Revert increased key size requirements from 2.8.0-2.8.2 (LP: #2073126)
    - Revert "Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment"
    - Revert "Only warn about <rsa2048 when upgrading from 2.7.x to 2.8.x"
    - Revert rsa1024 to warnings again
    This leaves the mechanisms in place and no longer warns about NIST curves.
  * Fix keeping back removals of obsolete packages; and return an error if
    ResolveByKeep() is unsuccessful (LP: #2078720)
  * Fix buffer overflow, stack overflow, exponential complexity in
    apt-ftparchive Contents generation (LP: #2083697)
    - ftparchive: Mystrdup: Add safety check and bump buffer size
    - ftparchive: contents: Avoid exponential complexity and overflows
    - test framework: Improve valgrind support
    - test: Check that apt-ftparchive handles deep paths
    - Workaround valgrind "invalid read" in ExtractTar::Go by moving large
      buffer from stack to heap. The large buffer triggered some bugs in
      valgrind stack clash protection handling.

apt (2.8.2) noble; urgency=medium

  * Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment
    (follow-up for LP: #2073126)

apt (2.8.1) noble; urgency=medium

  * Only revoke weak RSA keys for now, add 'next' and 'future' levels
    (backported from 2.9.7)
    Note that the changes to warn about keys not matching the future level
    in the --audit level are not fully included, as the --audit feature
    has not yet been backported. (LP: #2073126)
  * Introduce further mitigation on upgrades from 2.7.x to allow these
    systems to continue using rsa1024 repositories with warnings
    until the 24.04.2 point release (LP: #2073126)

apt (2.8.0) noble; urgency=medium

  [ Julian Andres Klode ]
  * Revert "Temporarily downgrade key assertions to "soon worthless""
    We temporarily downgraded the errors to warnings to give the
    launchpad PPAs time to be fixed, but warnings are not safe:
    Untrusted keys could be hiding on your system, but just not
    used at the moment. Hence revert this so we get the errors we
    want. (LP: #2060721)
  * Branch off the stable 2.8.y branch for noble:
    - CI: Test in ubuntu:noble images for 2.8.y
    - debian/gbp.conf: Point at the 2.8.y branch

  [ David Kalnischkies ]
  * Test suite fixes:
    - Avoid subshell hiding failure report from testfilestats
    - Ignore umask of leftover diff_Index in failed pdiff test
  * Documentation translation fixes:
    - Fix and unfuzzy previous VCG/Graphviz URI change

 -- Julian Andres Klode <email address hidden> Tue, 22 Oct 2024 15:02:22 +0200

The verification of the Stable Release Update for apt has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.