Bumping apt RSA key length requirements to 3072-bit (2048 w/ warning) for 24.04

Jeremy Bícha jeremy.bicha at canonical.com
Mon Jan 22 13:30:38 UTC 2024


On Mon, Jan 22, 2024 at 7:36 AM Dimitri John Ledkov
<dimitri.ledkov at canonical.com> wrote:
> > Sadly shipping this in 24.04 means that PPAs owned by user
> > accounts created prior to 2014-03-11[3] until the key rotation
> > mechanism(s) [4][5] have been implemented.
> >
>
> I do wonder how many active old PPA owners remain in action.
>
> And if we can reset per-series signing keys on all of those for any
> new PPAs, and noble series (meaning single signe, new key for noble+).
>
> I have personally created a new team for myself, only added myself to
> be a member of said team, to gain access to PPAs signed with 4k RSA
> key, as I can no longer use my own ppas. I guess I should ask to
> delete them all, and request removal of the signing key to gain back
> personal PPAs with 4k signing key.

Many of Ubuntu's core teams are older than 2014. This includes
Desktop, Checkbox, Kernel, Pythoneers, Security, Mozilla, LibreOffice,
Kubuntu, Lubuntu.

I suspect that this change would break most of the heaviest used PPAs.
We need a coordinated transition.

Thank you,
Jeremy Bícha



More information about the ubuntu-devel mailing list