Ubuntu
debian-archive-keyring package

Debian keys should not be trusted by default

Bug #1685305 reported by Dimitri John Ledkov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
debian-archive-keyring (Ubuntu)
Fix Released
Undecided
Dimitri John Ledkov
Trusty
New
Undecided
Unassigned
Xenial
New
Undecided
Unassigned
Yakkety
Won't Fix
Undecided
Unassigned
Zesty
Won't Fix
Undecided
Unassigned
Artful
Won't Fix
Undecided
Unassigned

Bug Description

[Impact]

 * debian-archive-keyring provides Debian Archive keys in two formats/locations:
   - /usr/share/keyrings/debian-archive-keyring.gpg
   - /etc/apt/trusted.gpg.d/*.gpg snippets

   The first location is used by many development tools to validate Debian
   mirrors when creating chroots/containers of Debian releases.

   The latter one is used by apt to validate and trust repositories.

   Ubuntu and Debian releases are, often, binary incompatible with each other,
   therefore by default on Ubuntu systems apt should not trust Debian Archive keys,
   when one simply wants to have ability to verify Debian releases on a Ubuntu system.

   Furthermore, debian-archive-keyring is often not installed explicitly but pulled in
   as a dependency. Thus the presence of debian-archive-keyring cannot be treated as
   consent to trust Debian archive keys by default.

[Test Case]

 * Install debian-archive-keyring
 * Verify that Debian keys are listed in the output of $ apt-key list
 * Upgrade debian-archive-keyring
 * Verify that Debian keys are no longer present in the output of $ apt-key list

[Regression Potential]

 * Users that rely on hosts' system to trust Debian archive keys, will no longer do.
 * As a workaround those users should symlink
   /usr/share/keyrings/debian-archive-keyring.gpg into /etc/apt/trusted.gpg.d/
 * Maybe we should provide a package "debian-archive-keyring-trusted" which will
   ship the trusted.gpg.d snippets and make host systems trust Debian keys. But I
   do not believe there is a demand for that.

See original description
Tags: patch
Revision history for this message
Dimitri John Ledkov (xnox) wrote :
description: updated
description: updated
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Dimitri John Ledkov (xnox)
no longer affects: debian-archive-keyring (Ubuntu Vivid)
Revision history for this message
Matthijs Kooijman (matthijskooijman) wrote :

AFAICS this is fixed in 2017.7.ubuntu1:

debian-archive-keyring (2017.7ubuntu1) bionic; urgency=medium

  * Do not trust debian archive keys by default, and instead ship those
    keys in usr/share/keyrings. On Ubuntu, this package is mostly used for
    validating chroots when debootstrapping Debian using
    /usr/share/keyrings/debian-archive-keyring.gpg

 -- Dimitri John Ledkov <email address hidden> Tue, 16 Jan 2018 16:52:37 +0000

Revision history for this message
Mattia Rizzolo (mapreri) wrote :

right, fixed in 2017.1, if anybody wants to do a SRU for trusty and xenial, they are welcome to.

Changed in debian-archive-keyring (Ubuntu Zesty):
status: New → Won't Fix
Changed in debian-archive-keyring (Ubuntu Yakkety):
status: New → Won't Fix
Changed in debian-archive-keyring (Ubuntu Artful):
status: New → Won't Fix
Changed in debian-archive-keyring (Ubuntu):
status: New → Fix Released
assignee: nobody → Dimitri John Ledkov (xnox)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.