touch-packages team mailing list archive

[Seth Arnold <1481871@xxxxxxxxxxxxxxxxxx>]

David, the CVE would be strictly for reporting "OK" to a delete command
that did not actually delete anything.

When an admin tries to remove a trusted key, the tools should either
report success when it does, or failure when it cannot.

I'm worried about the "apt-key adv --recv-key" issue; that's certainly
not mentioned in the manpages the last few times I've used this. We
should remove this advice from the manpage or provide a warning that it
is not safe to use this, despite previous recommendations.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1481871

Title:
  apt-key del silently fails to delete keys due to limited understanding
  of GPG key ID formats

Status in apt package in Ubuntu:
  Confirmed

Bug description:
  Description:	Ubuntu 14.04.3 LTS
  Release:	14.04

  apt:
    Installed: 1.0.1ubuntu2.10

  apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80
  7A82B743B9B8E46F12C733FA4759FA960E27C0A6

  apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is here

  apt-key del  7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # delete key

  apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # key is still
  here

  # Works fine with IDs

  apt-key del  0E27C0A6

  apt-key export 7A82B743B9B8E46F12C733FA4759FA960E27C0A6 # nothing
  exported

  # Works fine with fingerprint on Precise

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1481871/+subscriptions