Public bug reported:
[Impact]
* debian-archive-keyring provides Debian Archive keys in two formats/locations:
- /usr/share/keyrings/debian-archive-keyring.gpg
- /etc/apt/trusted.gpg.d/*.gpg snippets
The first location is used by many development tools to validate Debian
mirrors when creating chroots/containers of Debian releases.
The latter one is used by apt to validate and trust repositories.
Ubuntu and Debian releases are, often, binary incompatible with each other,
therefore by default on Ubuntu systems apt should not trust Debian Archive
keys,
when one simply wants to have ability to verify Debian releases on a Ubuntu
system.
Furthermore, debian-archive-keyring is often not installed explicitly but
pulled in
as a dependency. Thus the presence of debian-archive-keyring cannot be
treated as
consent to trust Debian archive keys by default.
[Test Case]
* Install debian-archive-keyring
* Verify that Debian keys are listed in the output of $ apt-key list
* Upgrade debian-archive-keyring
* Verify that Debian keys are no longer present in the output of $ apt-key list
[Regression Potential]
* Users that rely on hosts' system to trust Debian archive keys, will no
longer do.
* As a workaround those users should symlink
/usr/share/keyrings/debian-archive-keyring.gpg into /etc/apt/trusted.gpg.d/
* Maybe we should provide a package "debian-archive-keyring-trusted" which will
ship the trusted.gpg.d snippets and make host systems trust Debian keys. But
I
do not believe there is a demand for that.
** Affects: debian-archive-keyring (Ubuntu)
Importance: Undecided
Status: New
** Affects: debian-archive-keyring (Ubuntu Trusty)
Importance: Undecided
Status: New
** Affects: debian-archive-keyring (Ubuntu Xenial)
Importance: Undecided
Status: New
** Affects: debian-archive-keyring (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Affects: debian-archive-keyring (Ubuntu Zesty)
Importance: Undecided
Status: New
** Affects: debian-archive-keyring (Ubuntu Artful)
Importance: Undecided
Status: New
** Tags: patch
** Description changed:
[Impact]
- * debian-archive-keyring provides Debian Archive keys in two
formats/locations:
- - /usr/share/keyrings/debian-archive-keyring.gpg
- - /etc/apt/trusted.gpg.d/*.gpg snippets
+ * debian-archive-keyring provides Debian Archive keys in two
formats/locations:
+ - /usr/share/keyrings/debian-archive-keyring.gpg
+ - /etc/apt/trusted.gpg.d/*.gpg snippets
- The first location is used by many development tools to validate Debian
mirrors when creating chroots/containers of
- Debian releases.
-
- The latter one is used by apt to validate and trust repositories.
+ The first location is used by many development tools to validate Debian
+ mirrors when creating chroots/containers of Debian releases.
- Ubuntu and Debian releases are, often, binary incompatible with each other,
- therefore by default on Ubuntu systems apt should not trust Debian Archive
keys,
- when one simply wants to have ability to verify Debian releases on a
Ubuntu system.
+ The latter one is used by apt to validate and trust repositories.
- Furthermore, debian-archive-keyring is often not installed explicitly but
pulled in
- as a dependency. Thus the presence of debian-archive-keyring cannot be
treated as
- consent to trust Debian archive keys by default.
+ Ubuntu and Debian releases are, often, binary incompatible with each other,
+ therefore by default on Ubuntu systems apt should not trust Debian Archive
keys,
+ when one simply wants to have ability to verify Debian releases on a
Ubuntu system.
+
+ Furthermore, debian-archive-keyring is often not installed explicitly but
pulled in
+ as a dependency. Thus the presence of debian-archive-keyring cannot be
treated as
+ consent to trust Debian archive keys by default.
[Test Case]
- * Install debian-archive-keyring
- * Verify that Debian keys are listed in the output of $ apt-key list
- * Upgrade debian-archive-keyring
- * Verify that Debian keys are no longer present in the output of $ apt-key
list
+ * Install debian-archive-keyring
+ * Verify that Debian keys are listed in the output of $ apt-key list
+ * Upgrade debian-archive-keyring
+ * Verify that Debian keys are no longer present in the output of $ apt-key
list
[Regression Potential]
- * Users that rely on hosts' system to trust Debian archive keys, will no
longer do.
- * As a workaround those users should symlink
/usr/share/keyrings/debian-archive-keyring.gpg into
- /etc/apt/trusted.gpg.d/
- * Maybe we should provide a package "debian-archive-keyring-trusted" which
will ship the trusted.gpg.d
- snippets and make host systems trust Debian keys. But I do not believe
there is a demand for that.
+ * Users that rely on hosts' system to trust Debian archive keys, will no
longer do.
+ * As a workaround those users should symlink
/usr/share/keyrings/debian-archive-keyring.gpg into
+ /etc/apt/trusted.gpg.d/
+ * Maybe we should provide a package "debian-archive-keyring-trusted" which
will ship the trusted.gpg.d
+ snippets and make host systems trust Debian keys. But I do not believe
there is a demand for that.
** Description changed:
[Impact]
* debian-archive-keyring provides Debian Archive keys in two
formats/locations:
- /usr/share/keyrings/debian-archive-keyring.gpg
- /etc/apt/trusted.gpg.d/*.gpg snippets
The first location is used by many development tools to validate Debian
- mirrors when creating chroots/containers of Debian releases.
+ mirrors when creating chroots/containers of Debian releases.
The latter one is used by apt to validate and trust repositories.
Ubuntu and Debian releases are, often, binary incompatible with each other,
therefore by default on Ubuntu systems apt should not trust Debian Archive
keys,
when one simply wants to have ability to verify Debian releases on a
Ubuntu system.
Furthermore, debian-archive-keyring is often not installed explicitly but
pulled in
as a dependency. Thus the presence of debian-archive-keyring cannot be
treated as
consent to trust Debian archive keys by default.
[Test Case]
* Install debian-archive-keyring
* Verify that Debian keys are listed in the output of $ apt-key list
* Upgrade debian-archive-keyring
* Verify that Debian keys are no longer present in the output of $ apt-key
list
[Regression Potential]
* Users that rely on hosts' system to trust Debian archive keys, will no
longer do.
- * As a workaround those users should symlink
/usr/share/keyrings/debian-archive-keyring.gpg into
- /etc/apt/trusted.gpg.d/
- * Maybe we should provide a package "debian-archive-keyring-trusted" which
will ship the trusted.gpg.d
- snippets and make host systems trust Debian keys. But I do not believe
there is a demand for that.
+ * As a workaround those users should symlink
+ /usr/share/keyrings/debian-archive-keyring.gpg into /etc/apt/trusted.gpg.d/
+ * Maybe we should provide a package "debian-archive-keyring-trusted" which
will
+ ship the trusted.gpg.d snippets and make host systems trust Debian keys.
But I
+ do not believe there is a demand for that.
** Also affects: debian-archive-keyring (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: debian-archive-keyring (Ubuntu Vivid)
Importance: Undecided
Status: New
** Also affects: debian-archive-keyring (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: debian-archive-keyring (Ubuntu Zesty)
Importance: Undecided
Status: New
** Also affects: debian-archive-keyring (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Also affects: debian-archive-keyring (Ubuntu Xenial)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1685305
Title:
Debian keys should not be trusted by default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debian-archive-keyring/+bug/1685305/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
