I think we reached somewhat of an agreement that net-update is a bad
idea and should not be done. It also depends on gnupg.
We should eventually consider developing something else, but I'm not
sure how that would look like. Currently, there is no way to revoke keys
except through packages, basically, which is a security issue. We need
to provide signed keyfiles on different locations that apt can download
so an attacker cannot use a broken key and MITM exisiting repositories
forever.
** Changed in: apt (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1624378
Title:
apt-key net-update should use trusted.gpg.d/
Status in apt package in Ubuntu:
Won't Fix
Bug description:
apt-key net-update for the new world order
/etc/apt/trusted.gpg is not longer preffered location for key updates.
Instead, individual opengpg packets of exported public keys should be
placed in /etc/apt/trusted.gpg.d
Debian has already migrated to placing the keys there.
To comply with /etc/apt/trusted.gpg.d structure, instead of updating
the keys in the /etc/apt/trusted.gpg, imho apt-key net-update should
download and place a /etc/apt/trusted.gpg.d/ubuntu-archive-
netupdate.gpg key.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1624378/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
