I think we reached somewhat of an agreement that net-update is a bad idea and should not be done. It also depends on gnupg.
We should eventually consider developing something else, but I'm not sure how that would look like. Currently, there is no way to revoke keys except through packages, basically, which is a security issue. We need to provide signed keyfiles on different locations that apt can download so an attacker cannot use a broken key and MITM exisiting repositories forever. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1624378 Title: apt-key net-update should use trusted.gpg.d/ Status in apt package in Ubuntu: Won't Fix Bug description: apt-key net-update for the new world order /etc/apt/trusted.gpg is not longer preffered location for key updates. Instead, individual opengpg packets of exported public keys should be placed in /etc/apt/trusted.gpg.d Debian has already migrated to placing the keys there. To comply with /etc/apt/trusted.gpg.d structure, instead of updating the keys in the /etc/apt/trusted.gpg, imho apt-key net-update should download and place a /etc/apt/trusted.gpg.d/ubuntu-archive- netupdate.gpg key. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1624378/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
