Julian, I'm afraid that for better or worse Launchpad did generate 1024-bit RSA keys for PPAs for quite some time, and that wasn't an entirely silly decision back when it was first made - even then DSA had known weaknesses. It's a problem, but as you say we'd need to work out a rollover mechanism. Signing with two keys is certainly a possibility (we did that with the Ubuntu archive for a while, so it's battle- tested), and I expect that any solution to this would involve that, but there's no clear way to end the transition.
Bob, I'm afraid that your proposed "simple" workaround is no such thing (a naive implementation would expose launchpad.net to XSS attacks from user-supplied content on ppa.launchpad.net). I listed the issues that would need to be solved in bug 1473091. Anyway, TLS is a side issue here and this bug shouldn't be derailed into that. We are very unlikely to do any of the proposed renaming/mirroring hacks; they would be a mess and likely a cure worse than the disease. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1461834 Title: 1024-bit signing keys should be deprecated Status in Launchpad itself: New Status in apt package in Ubuntu: Invalid Status in gnupg2 package in Ubuntu: New Bug description: 1024-bit RSA was deprecated years ago by NIST[1], Microsoft[2] and more recently by others[3]. 1024-bit signing keys are insufficient to guarantee the authenticity of software distributed from Launchpad.net including PPAs. There should be a mechanism to refuse signing keys below a minimum key length based on key type. 1024-bit signing keys should be deprecated and removed from Launchpad.net itself ASAP. Future projects and PPAs should be disallowed from using 1024-bit signing keys. 1. http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf 2. http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx 3. https://threatpost.com/mozilla-1024-bit-cert-deprecation-leaves-107000-sites-untrusted/108114 To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad/+bug/1461834/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
