For the workaround in apt-key I did a proof of concept here: lp:~mvo/apt
/apt-key-recv-lp1016643 that shows what I have in mind. It has the added
benefit that it will no longer support short keyids for --recv.
The basic idea is that if adv with --recv{,-keys} is given it wil
intercept and download to a tmp keyring first, then verify that
(probably unneeded though) and then export the keyid from the tmpkeyring
and then importing it into the real keyring. The export via keyid step
should ensure that the right keyid is used.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key in an insecure fashion
To manage notifications about this bug go to:
https://bugs.launchpad.net/gnupg/+bug/1016643/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
