[Bug 1624378] Re: apt-key net-update should use trusted.gpg.d/
Julian Andres Klode
julian.klode at gmail.com
Thu Aug 17 18:31:04 UTC 2017
I think we reached somewhat of an agreement that net-update is a bad
idea and should not be done. It also depends on gnupg.
We should eventually consider developing something else, but I'm not
sure how that would look like. Currently, there is no way to revoke keys
except through packages, basically, which is a security issue. We need
to provide signed keyfiles on different locations that apt can download
so an attacker cannot use a broken key and MITM exisiting repositories
forever.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1624378
Title:
apt-key net-update should use trusted.gpg.d/
Status in apt package in Ubuntu:
Won't Fix
Bug description:
apt-key net-update for the new world order
/etc/apt/trusted.gpg is not longer preffered location for key updates.
Instead, individual opengpg packets of exported public keys should be
placed in /etc/apt/trusted.gpg.d
Debian has already migrated to placing the keys there.
To comply with /etc/apt/trusted.gpg.d structure, instead of updating
the keys in the /etc/apt/trusted.gpg, imho apt-key net-update should
download and place a /etc/apt/trusted.gpg.d/ubuntu-archive-
netupdate.gpg key.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1624378/+subscriptions
More information about the foundations-bugs
mailing list