2017-04-21 16:23:46 |
Dimitri John Ledkov |
bug |
|
|
added bug |
2017-04-21 16:24:03 |
Dimitri John Ledkov |
description |
[Impact]
* debian-archive-keyring provides Debian Archive keys in two formats/locations:
- /usr/share/keyrings/debian-archive-keyring.gpg
- /etc/apt/trusted.gpg.d/*.gpg snippets
The first location is used by many development tools to validate Debian mirrors when creating chroots/containers of
Debian releases.
The latter one is used by apt to validate and trust repositories.
Ubuntu and Debian releases are, often, binary incompatible with each other,
therefore by default on Ubuntu systems apt should not trust Debian Archive keys,
when one simply wants to have ability to verify Debian releases on a Ubuntu system.
Furthermore, debian-archive-keyring is often not installed explicitly but pulled in
as a dependency. Thus the presence of debian-archive-keyring cannot be treated as
consent to trust Debian archive keys by default.
[Test Case]
* Install debian-archive-keyring
* Verify that Debian keys are listed in the output of $ apt-key list
* Upgrade debian-archive-keyring
* Verify that Debian keys are no longer present in the output of $ apt-key list
[Regression Potential]
* Users that rely on hosts' system to trust Debian archive keys, will no longer do.
* As a workaround those users should symlink /usr/share/keyrings/debian-archive-keyring.gpg into
/etc/apt/trusted.gpg.d/
* Maybe we should provide a package "debian-archive-keyring-trusted" which will ship the trusted.gpg.d
snippets and make host systems trust Debian keys. But I do not believe there is a demand for that. |
[Impact]
* debian-archive-keyring provides Debian Archive keys in two formats/locations:
- /usr/share/keyrings/debian-archive-keyring.gpg
- /etc/apt/trusted.gpg.d/*.gpg snippets
The first location is used by many development tools to validate Debian
mirrors when creating chroots/containers of Debian releases.
The latter one is used by apt to validate and trust repositories.
Ubuntu and Debian releases are, often, binary incompatible with each other,
therefore by default on Ubuntu systems apt should not trust Debian Archive keys,
when one simply wants to have ability to verify Debian releases on a Ubuntu system.
Furthermore, debian-archive-keyring is often not installed explicitly but pulled in
as a dependency. Thus the presence of debian-archive-keyring cannot be treated as
consent to trust Debian archive keys by default.
[Test Case]
* Install debian-archive-keyring
* Verify that Debian keys are listed in the output of $ apt-key list
* Upgrade debian-archive-keyring
* Verify that Debian keys are no longer present in the output of $ apt-key list
[Regression Potential]
* Users that rely on hosts' system to trust Debian archive keys, will no longer do.
* As a workaround those users should symlink /usr/share/keyrings/debian-archive-keyring.gpg into
/etc/apt/trusted.gpg.d/
* Maybe we should provide a package "debian-archive-keyring-trusted" which will ship the trusted.gpg.d
snippets and make host systems trust Debian keys. But I do not believe there is a demand for that. |
|
2017-04-21 16:24:34 |
Dimitri John Ledkov |
description |
[Impact]
* debian-archive-keyring provides Debian Archive keys in two formats/locations:
- /usr/share/keyrings/debian-archive-keyring.gpg
- /etc/apt/trusted.gpg.d/*.gpg snippets
The first location is used by many development tools to validate Debian
mirrors when creating chroots/containers of Debian releases.
The latter one is used by apt to validate and trust repositories.
Ubuntu and Debian releases are, often, binary incompatible with each other,
therefore by default on Ubuntu systems apt should not trust Debian Archive keys,
when one simply wants to have ability to verify Debian releases on a Ubuntu system.
Furthermore, debian-archive-keyring is often not installed explicitly but pulled in
as a dependency. Thus the presence of debian-archive-keyring cannot be treated as
consent to trust Debian archive keys by default.
[Test Case]
* Install debian-archive-keyring
* Verify that Debian keys are listed in the output of $ apt-key list
* Upgrade debian-archive-keyring
* Verify that Debian keys are no longer present in the output of $ apt-key list
[Regression Potential]
* Users that rely on hosts' system to trust Debian archive keys, will no longer do.
* As a workaround those users should symlink /usr/share/keyrings/debian-archive-keyring.gpg into
/etc/apt/trusted.gpg.d/
* Maybe we should provide a package "debian-archive-keyring-trusted" which will ship the trusted.gpg.d
snippets and make host systems trust Debian keys. But I do not believe there is a demand for that. |
[Impact]
* debian-archive-keyring provides Debian Archive keys in two formats/locations:
- /usr/share/keyrings/debian-archive-keyring.gpg
- /etc/apt/trusted.gpg.d/*.gpg snippets
The first location is used by many development tools to validate Debian
mirrors when creating chroots/containers of Debian releases.
The latter one is used by apt to validate and trust repositories.
Ubuntu and Debian releases are, often, binary incompatible with each other,
therefore by default on Ubuntu systems apt should not trust Debian Archive keys,
when one simply wants to have ability to verify Debian releases on a Ubuntu system.
Furthermore, debian-archive-keyring is often not installed explicitly but pulled in
as a dependency. Thus the presence of debian-archive-keyring cannot be treated as
consent to trust Debian archive keys by default.
[Test Case]
* Install debian-archive-keyring
* Verify that Debian keys are listed in the output of $ apt-key list
* Upgrade debian-archive-keyring
* Verify that Debian keys are no longer present in the output of $ apt-key list
[Regression Potential]
* Users that rely on hosts' system to trust Debian archive keys, will no longer do.
* As a workaround those users should symlink
/usr/share/keyrings/debian-archive-keyring.gpg into /etc/apt/trusted.gpg.d/
* Maybe we should provide a package "debian-archive-keyring-trusted" which will
ship the trusted.gpg.d snippets and make host systems trust Debian keys. But I
do not believe there is a demand for that. |
|
2017-04-21 16:24:46 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Trusty |
|
2017-04-21 16:24:46 |
Dimitri John Ledkov |
bug task added |
|
debian-archive-keyring (Ubuntu Trusty) |
|
2017-04-21 16:24:46 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Vivid |
|
2017-04-21 16:24:46 |
Dimitri John Ledkov |
bug task added |
|
debian-archive-keyring (Ubuntu Vivid) |
|
2017-04-21 16:24:46 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Artful |
|
2017-04-21 16:24:46 |
Dimitri John Ledkov |
bug task added |
|
debian-archive-keyring (Ubuntu Artful) |
|
2017-04-21 16:24:46 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Zesty |
|
2017-04-21 16:24:46 |
Dimitri John Ledkov |
bug task added |
|
debian-archive-keyring (Ubuntu Zesty) |
|
2017-04-21 16:24:46 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Yakkety |
|
2017-04-21 16:24:46 |
Dimitri John Ledkov |
bug task added |
|
debian-archive-keyring (Ubuntu Yakkety) |
|
2017-04-21 16:24:46 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Xenial |
|
2017-04-21 16:24:46 |
Dimitri John Ledkov |
bug task added |
|
debian-archive-keyring (Ubuntu Xenial) |
|
2017-04-21 16:26:56 |
Dimitri John Ledkov |
attachment added |
|
no-trusted-keys-for-ubuntu.diff https://bugs.launchpad.net/ubuntu/+source/debian-archive-keyring/+bug/1685305/+attachment/4866108/+files/no-trusted-keys-for-ubuntu.diff |
|
2017-04-21 16:30:53 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2017-04-21 16:39:36 |
Dimitri John Ledkov |
bug task deleted |
debian-archive-keyring (Ubuntu Vivid) |
|
|
2019-07-07 13:44:56 |
Mattia Rizzolo |
debian-archive-keyring (Ubuntu Zesty): status |
New |
Won't Fix |
|
2019-07-07 13:45:00 |
Mattia Rizzolo |
debian-archive-keyring (Ubuntu Yakkety): status |
New |
Won't Fix |
|
2019-07-07 13:45:10 |
Mattia Rizzolo |
debian-archive-keyring (Ubuntu Artful): status |
New |
Won't Fix |
|
2019-07-07 13:45:19 |
Mattia Rizzolo |
debian-archive-keyring (Ubuntu): status |
New |
Fix Released |
|
2019-07-07 13:46:00 |
Mattia Rizzolo |
debian-archive-keyring (Ubuntu): assignee |
|
Dimitri John Ledkov (xnox) |
|