needs update for new archive key
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apt (Debian) |
Fix Released
|
Unknown
|
|||
apt (Ubuntu) |
Invalid
|
High
|
Michael Vogt |
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Marking as duplicate based on debbugs merge (345823,345891)
This bug has been marked as a duplicate of bug 27959.
Debian Bug Importer (debzilla) wrote : | #3 |
Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 06:47:29 +0100
From: Christian Perrier <email address hidden>
To: <email address hidden>
Subject: merging 345823 345891
# Automatically generated email from bts, devscripts version 2.9.10
merge 345823 345891
Debian Bug Importer (debzilla) wrote : | #4 |
Message-Id: <email address hidden>
Date: Wed, 4 Jan 2006 14:59:36 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: severity of 346002 is serious, merging 346002 345891
# Automatically generated email from bts, devscripts version 2.9.10
severity 346002 serious
merge 346002 345891
Debian Bug Importer (debzilla) wrote : | #5 |
Message-Id: <email address hidden>
Date: Wed, 04 Jan 2006 21:17:26 +0000
From: "Adam D. Barratt" <email address hidden>
To: <email address hidden>, Ferenczi Viktor <email address hidden>
Subject: Re: Bug#346002: apt: GPG error when updating
# BTS control commands
package apt
# Raising severities as per the rationale in #345891
severity 346002 serious
severity 345823 serious
severity 345956 serious
merge 346002 345823 345956 345891
thanks
On Wed, 2006-01-04 at 20:25 +0100, Ferenczi Viktor wrote:
> Package: apt
> Version: 0.6.43
> Severity: normal
>
>
> I got an unusal GPG error when updating with apt-get update:
[...]
> W: GPG error: http://
This is the same issue as reported in #345891 and the two bugs I've just
merged with it (see above). Merging this report and the other three.
Regards,
Adam
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 23:27:40 +0100
From: Michael Vogt <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Cc: Debian Bug Tracking System <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key
On Tue, Jan 03, 2006 at 11:07:37PM -0500, Joey Hess wrote:
> Package: apt
> Version: 0.6.43
> Severity: serious
> Tags: d-i
Thanks for your bugreport and sorry for my late reply.
> apt needs to be updated for this year's archive key which is apparently
> the one at http://
The new key is added to my baz repository and it will be part of the
next (very soon) upload.
> I'm tagging this bug d-i because not having the key up-to-date in apt
> breaks new installations since apt doesn't work, and will begin breaking
> d-i even worse once the old archive key expires.
The updated default key in apt means that new installs will be fine,
but we need a better system for upgrades (see below).
> FWIW, I think that the archive key should be split out into a new
> package that can be updated more easily than apt, but for now a quick
> fix is called for.
I think the same. My proposal is to create a new debain-
[1] package that conatins:
/usr/share/
/usr/share/
and calls "apt-key update" in it's postinst. apt-key update will add
new keys from "debian-
keys in debian-
This way installing/updating the package will ensure that new keys are
added as required and obsolete keys can be removed. Because the keys
are part of a package and the package is covered with the trust-chain
there is no trust-chain violation.
If people are happy with my proposal I'll prepare and upload such a
package.
Cheers,
Michael
[1] I think we should create a new package and not use debian-keyring
because debian-keyring is pretty big.
--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 18:54:32 -0500
From: Joey Hess <email address hidden>
To: Michael Vogt <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key
--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Thanks for following up on this..
Michael Vogt wrote:
> I think the same. My proposal is to create a new debain-
> [1] package that conatins:
> /usr/share/
> /usr/share/
>=20
> and calls "apt-key update" in it's postinst. apt-key update will add
> new keys from "debian-
> keys in debian-
>=20
> This way installing/updating the package will ensure that new keys are
> added as required and obsolete keys can be removed. Because the keys
> are part of a package and the package is covered with the trust-chain
> there is no trust-chain violation.
>=20
> If people are happy with my proposal I'll prepare and upload such a
> package.=20
Yes, that sounds right to me.
The installer also needs a copy of the keyring. Currently we copy this
=66rom the keyring shipped in apt at package build time, but it would be
much nicer if there were a udeb that only contained the keyring. Once
you create this package I can send a patch to also make it produce an
appropriate udeb.
--=20
see shy jo
--PNTmBPCT7hxwcZjr
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDvbG2d8H
bwX+TyE5/
=Adsk
-----END PGP SIGNATURE-----
--PNTmBPCT7hxwc
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Fri, 6 Jan 2006 02:59:21 +0100
From: Adeodato =?utf-8?
To: Michael Vogt <email address hidden>, <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key
* Michael Vogt [Thu, 05 Jan 2006 23:27:40 +0100]:
> but we need a better system for upgrades (see below).
Thanks for proposing this.
> I think the same. My proposal is to create a new debain-
Can I suggest that it's called debian-
instead? "debian-server" sounds like "a debian server", while
"debian-archive" sounds more (at least to me) like "the Debian
Archive".
Thanks,
--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
Man: Wow, that woman looks exactly the way Nina is going to look in
about ten years... Oh shit, it is Nina. Don't tell her what I said, okay?
-- http://
Debian Bug Importer (debzilla) wrote : | #9 |
Message-Id: <email address hidden>
Date: Fri, 6 Jan 2006 17:21:04 +1100
From: Andrew Vaughan <email address hidden>
To: <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key
Hi
Further things to consider. Apologies if I these have already been handled.
1. Dec 2006 Etch releases. Jill downloads and burns etch install cd.
Jan 2007, old archive key expires, new archive key issued.
Jan 2008, old archive key expires, new archive key issued.
Mar 2008, Jill tries to install from the cd created in Dec 2006.
Will that work?
Will that work if all debian-archive-keys were revoked/replaced in
mid 2007?
2. security.d.o will (presumably) also be signed.
Will that be using the same key?
Using separate keys might make updating after a key compromise simpler.
(You could use the not-compromised key to sign both package lists
temporarily).
Andrew
PS I also prefer debian-
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 23:35:22 -0800
From: Steve Langasek <email address hidden>
To: Andrew Vaughan <email address hidden>,
<email address hidden>
Subject: Re: Bug#345891: needs update for new archive key
--/YnR2r17TIEndSCI
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Fri, Jan 06, 2006 at 05:21:04PM +1100, Andrew Vaughan wrote:
> Hi
> Further things to consider. Apologies if I these have already been handl=
ed.
> 1. Dec 2006 Etch releases. Jill downloads and burns etch install cd.
> Jan 2007, old archive key expires, new archive key issued.
> Jan 2008, old archive key expires, new archive key issued.
> Mar 2008, Jill tries to install from the cd created in Dec 2006. =20
> Will that work?
> Will that work if all debian-archive-keys were revoked/replaced in
> mid 2007?
The ISO images are generated on a different machine from ftp-master, with
their own Release files which must be signed by a separate key. The policy
for those keys (and for keys used for signing stable in general?) probably
needs to be separate from that used on the ftp archive.
Anyway, if by "install" you mean "fresh install", rather than just "install
some packages from this CD", the keys contained *on* the CD are ultimately
trusted (as is the rest of the software on the CD at time of install,
basically) at least until the point when you add some external apt source
that pulls revocation certificates from the network. So doing an install
=66rom the CD should work fine, as long as the CD-signing key has no
expiration date or one sufficiently far in the future to cover our
worst-case needs for etch, or we provide some override in the CD to allow
installing with an ancient signature. Either way, I think ISOs pose much
less of a problem for us than ftp apt sources for stable.
> 2. security.d.o will (presumably) also be signed.=20
> Will that be using the same key?
I don't see any good reason to use the same key, given that they're on
separate systems.
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://
--/YnR2r17TIEndSCI
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDvh26KN6
3cVcQW94Fqig41r
=DotZ
-----END PGP SIGNATURE-----
--/YnR2r17TIEnd
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Fri, 6 Jan 2006 06:44:05 +0100
From: Christian Perrier <email address hidden>
To: <email address hidden>
Cc: Joey Hess <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key
> I think the same. My proposal is to create a new debain-
> [1] package that conatins:
> /usr/share/
> /usr/share/
I add my voice here: this seems fair by me (with the name change
suggested by dato).
However, this raises an interesting question: who will maintain this
package?
My feeling is that it should be in the hands of the ftpmaster
team. This would give the guarantee of reactivity when updates are due
(hopefully once a year).
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Fri, 6 Jan 2006 09:56:22 -0500
From: Joey Hess <email address hidden>
To: Steve Langasek <email address hidden>, <email address hidden>
Cc: Andrew Vaughan <email address hidden>
Subject: Re: Bug#345891: needs update for new archive key
--8WA4ILJSyYAmUzbY
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Steve Langasek wrote:
> The ISO images are generated on a different machine from ftp-master, with
> their own Release files which must be signed by a separate key. The poli=
cy
> for those keys (and for keys used for signing stable in general?) probably
> needs to be separate from that used on the ftp archive.
The CDs arn't signed at all right now, but for all CDs except for full
CDs (netinst, businesscard), if the archive key built into the CD is
expired, the install will probably fail.
--=20
see shy jo
--8WA4ILJSyYAmUzbY
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDvoUVd8H
7d8phzEMcjTmIUJ
=nQr+
-----END PGP SIGNATURE-----
--8WA4ILJSyYAmU
Debian Bug Importer (debzilla) wrote : | #13 |
Message-ID: <email address hidden>
Date: Tue, 10 Jan 2006 10:06:31 +0100
From: Michael Vogt <email address hidden>
To: <email address hidden>,
Adeodato =?iso-8859-
Subject: Re: Bug#345891: needs update for new archive key
On Fri, Jan 06, 2006 at 02:59:21AM +0100, Adeodato Sim�ote:
> * Michael Vogt [Thu, 05 Jan 2006 23:27:40 +0100]:
> > but we need a better system for upgrades (see below).
>
> Thanks for proposing this.
>
> > I think the same. My proposal is to create a new debain-
>
> Can I suggest that it's called debian-
> instead? "debian-server" sounds like "a debian server", while
> "debian-archive" sounds more (at least to me) like "the Debian
> Archive".
Thanks everyone for their opinion.
I uploaded a new debian-
ago that will work with apt-key update (and calls it automatically
after it was installed). It will also build a udeb (as suggested by
Joey Hess, thanks to Colin Watson).
About maintainership of this package, I'm happy to maintain it for
now, but I'm equally happy to give it away to the ftp-massters.
This package solves the problem for scheduled key rollovers (where we
sign with both new and old key for a certain time), but it uses the
old key to verify the package. This means that it's not suitable
against a key compromise of the archive key. How to deal with this
scenario needs to be discussed further.
Cheers,
Michael
--
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <010301c616ab$
Date: Wed, 11 Jan 2006 12:33:15 -0000
From: "Adam D. Barratt" <email address hidden>
To: "jetxee" <email address hidden>,
<email address hidden>
Subject: Re: Bug#347540: GPG error on update: public key not available
reassign 347540 apt
severity 347540 serious
merge 347540 345891
thanks
On Wednesday, January 11, 2006 12:08 PM, jetxee <email address hidden> wrote:
> Package: ftp.debian.org
>
> As of Wed Jan 11 12:58:48 CET 2006, I get the following error messages
> on aptutude update:
>
> W: GPG error: ftp://ftp.
> signatures couldn't be verified because the public key is not
> available: NO_PUBKEY 010908312D230C5F
[...]
> I failed to found a contemporary report on this subject in BTS, so
> post a new one.
That's because you're looking in the wrong place. :-)
This is http://
Merging this report also.
Regards,
Adam
Message-ID: <email address hidden>
Date: Tue, 3 Jan 2006 23:07:37 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: needs update for new archive key
--FCuugMFkClbJLl1L Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: apt
Version: 0.6.43
Severity: serious
Tags: d-i
apt needs to be updated for this year's archive key which is apparently ftp-master. debian. org/ziyi_ key_2006. asc
the one at http://
I'm tagging this bug d-i because not having the key up-to-date in apt
breaks new installations since apt doesn't work, and will begin breaking
d-i even worse once the old archive key expires.
FWIW, I think that the archive key should be split out into a new
package that can be updated more easily than apt, but for now a quick
fix is called for.
--=20
see shy jo
--FCuugMFkClbJLl1L pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
HehbQuO8RAuV6AJ 4lA/v/GccLsMk7i S8Wfb/VtByhTQCf SYfl RVF0nY0c=
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDu0oJd8H
zq9mPnU2WSmWEzd
=5xsJ
-----END PGP SIGNATURE-----
--FCuugMFkClbJL l1L--