Debian keys should not be trusted by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
debian-archive-keyring (Ubuntu) |
Fix Released
|
Undecided
|
Dimitri John Ledkov | ||
Trusty |
New
|
Undecided
|
Unassigned | ||
Xenial |
New
|
Undecided
|
Unassigned | ||
Yakkety |
Won't Fix
|
Undecided
|
Unassigned | ||
Zesty |
Won't Fix
|
Undecided
|
Unassigned | ||
Artful |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* debian-
- /usr/share/
- /etc/apt/
The first location is used by many development tools to validate Debian
mirrors when creating chroots/containers of Debian releases.
The latter one is used by apt to validate and trust repositories.
Ubuntu and Debian releases are, often, binary incompatible with each other,
therefore by default on Ubuntu systems apt should not trust Debian Archive keys,
when one simply wants to have ability to verify Debian releases on a Ubuntu system.
Furthermore, debian-
as a dependency. Thus the presence of debian-
consent to trust Debian archive keys by default.
[Test Case]
* Install debian-
* Verify that Debian keys are listed in the output of $ apt-key list
* Upgrade debian-
* Verify that Debian keys are no longer present in the output of $ apt-key list
[Regression Potential]
* Users that rely on hosts' system to trust Debian archive keys, will no longer do.
* As a workaround those users should symlink
/usr/
* Maybe we should provide a package "debian-
ship the trusted.gpg.d snippets and make host systems trust Debian keys. But I
do not believe there is a demand for that.
tags: | added: patch |
no longer affects: | debian-archive-keyring (Ubuntu Vivid) |
AFAICS this is fixed in 2017.7.ubuntu1:
debian- archive- keyring (2017.7ubuntu1) bionic; urgency=medium
* Do not trust debian archive keys by default, and instead ship those share/keyrings/ debian- archive- keyring. gpg
keys in usr/share/keyrings. On Ubuntu, this package is mostly used for
validating chroots when debootstrapping Debian using
/usr/
-- Dimitri John Ledkov <email address hidden> Tue, 16 Jan 2018 16:52:37 +0000