group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #31151
[Bug 1685305] Re: Debian keys should not be trusted by default
right, fixed in 2017.1, if anybody wants to do a SRU for trusty and
xenial, they are welcome to.
** Changed in: debian-archive-keyring (Ubuntu Zesty)
Status: New => Won't Fix
** Changed in: debian-archive-keyring (Ubuntu Yakkety)
Status: New => Won't Fix
** Changed in: debian-archive-keyring (Ubuntu Artful)
Status: New => Won't Fix
** Changed in: debian-archive-keyring (Ubuntu)
Status: New => Fix Released
** Changed in: debian-archive-keyring (Ubuntu)
Assignee: (unassigned) => Dimitri John Ledkov (xnox)
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1685305
Title:
Debian keys should not be trusted by default
Status in debian-archive-keyring package in Ubuntu:
Fix Released
Status in debian-archive-keyring source package in Trusty:
New
Status in debian-archive-keyring source package in Xenial:
New
Status in debian-archive-keyring source package in Yakkety:
Won't Fix
Status in debian-archive-keyring source package in Zesty:
Won't Fix
Status in debian-archive-keyring source package in Artful:
Won't Fix
Bug description:
[Impact]
* debian-archive-keyring provides Debian Archive keys in two formats/locations:
- /usr/share/keyrings/debian-archive-keyring.gpg
- /etc/apt/trusted.gpg.d/*.gpg snippets
The first location is used by many development tools to validate Debian
mirrors when creating chroots/containers of Debian releases.
The latter one is used by apt to validate and trust repositories.
Ubuntu and Debian releases are, often, binary incompatible with each other,
therefore by default on Ubuntu systems apt should not trust Debian Archive keys,
when one simply wants to have ability to verify Debian releases on a Ubuntu system.
Furthermore, debian-archive-keyring is often not installed explicitly but pulled in
as a dependency. Thus the presence of debian-archive-keyring cannot be treated as
consent to trust Debian archive keys by default.
[Test Case]
* Install debian-archive-keyring
* Verify that Debian keys are listed in the output of $ apt-key list
* Upgrade debian-archive-keyring
* Verify that Debian keys are no longer present in the output of $ apt-key list
[Regression Potential]
* Users that rely on hosts' system to trust Debian archive keys, will no longer do.
* As a workaround those users should symlink
/usr/share/keyrings/debian-archive-keyring.gpg into /etc/apt/trusted.gpg.d/
* Maybe we should provide a package "debian-archive-keyring-trusted" which will
ship the trusted.gpg.d snippets and make host systems trust Debian keys. But I
do not believe there is a demand for that.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/debian-archive-keyring/+bug/1685305/+subscriptions