touch-packages team mailing list archive

[Philipp Kern <phil+launchpad@xxxxxxxxxxx>]

Public bug reported:

ubuntu-keyring as shipped in trusty contains old 1024D keys dating back
to 2004 which are still being trusted for the main archive:

 % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key <ftpmaster@xxxxxxxxxx>
pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key <cdimage@xxxxxxxxxx>

Given that newer 4096R keys are present and have been in precise
(through -updates) and trusty, it seems to be about time to drop the
older keys. (In the hope that apt does not chose on signatures it cannot
verify, otherwise the publisher would need to stop signing with the old
key as well.)

** Affects: ubuntu-keyring (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1363482

Title:
  ubuntu-keyring includes 1024D keys

Status in “ubuntu-keyring” package in Ubuntu:
  New

Bug description:
  ubuntu-keyring as shipped in trusty contains old 1024D keys dating
  back to 2004 which are still being trusted for the main archive:

   % gpg /usr/share/keyrings/ubuntu-archive-keyring.gpg | grep 1024D
  pub  1024D/437D05B5 2004-09-12 Ubuntu Archive Automatic Signing Key <ftpmaster@xxxxxxxxxx>
  pub  1024D/FBB75451 2004-12-30 Ubuntu CD Image Automatic Signing Key <cdimage@xxxxxxxxxx>

  Given that newer 4096R keys are present and have been in precise
  (through -updates) and trusty, it seems to be about time to drop the
  older keys. (In the hope that apt does not chose on signatures it
  cannot verify, otherwise the publisher would need to stop signing with
  the old key as well.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-keyring/+bug/1363482/+subscriptions