Whilst poking all of this a while back, my thought was to use inline
signed keyring snippet which is downloaded probably with the apt-helper,
validated (well gpgv decrypt) and stored as
/etc/apt/trusted.gpg.d/netupdate.gpg. Since we no longer need to touch
/etc/apt/trusted.gpg keyring. This
No, it did not. We could rebase and merge it. We can also replace wget
with /usr/lib/apt/apt-helper download-file to fix bug 325700 and bug
226780 while we're at it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Did this change ever make it in?
** Changed in: apt (Ubuntu)
Assignee: (unassigned) => Michael Vogt (mvo)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1013681
Title:
make apt-key net-update
** No longer affects: apt (Ubuntu Quantal)
** Changed in: apt (Ubuntu)
Milestone: quantal-updates => None
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1013681
Title:
make apt-key net-update
** Changed in: apt (Ubuntu Quantal)
Status: Triaged = Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1013681
Title:
make apt-key net-update secure
To manage notifications about
Thanks Colin, that is great news.
I updated the branch (and also merged the debian-sid changes) into
https://github.com/mvo5/apt/tree/ubuntu/lp1013681 - I need to test it a
bit more and then I will upload.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg.sig
exists now, so the client side should be unblocked.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1013681
Title:
make apt-key
** Bug watch added: Debian Bug tracker #642480
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480
** Also affects: apt (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480
Importance: Unknown
Status: Unknown
--
You received this bug notification because you
** Changed in: apt (Debian)
Status: Unknown = New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1013681
Title:
make apt-key net-update secure
To manage notifications about this bug go to:
We're not going to get to this before quantal release.
** Changed in: apt (Ubuntu Quantal)
Milestone: None = quantal-updates
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1013681
Title:
make
I'm fine with the signed-keyring-file approach too, although I haven't
confirmed that there are no attacks possible on the code used to verify
*that* signature.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
From #ubuntu-meeting on 2012-09-12:
08:43 mvo cjwatson: it will require a server side change
08:43 mvo cjwatson: if you guys are happy with the new proposed schema we
can
upload (once the server side is updated)
08:43 mvo but I (much) agree we should not rush this :) it caused
** Tags removed: rls-q-incoming
** Also affects: apt (Ubuntu Quantal)
Importance: High
Status: Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1013681
Title:
make apt-key
More gpg issues with keyring files:
http://lists.gnupg.org/pipermail/gnupg-devel/2012-June/026743.html
http://lists.gnupg.org/pipermail/gnupg-devel/2012-June/026745.html
http://seclists.org/fulldisclosure/2012/Jun/349
--
You received this bug notification because you are a member of Ubuntu
Some more info:
http://lists.gnupg.org/pipermail/gnupg-devel/2012-June/026724.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1013681
Title:
make apt-key net-update secure
To manage
I would welcome feedback on the alternative approach. The idea is
basicly to simply download a signed keyring file, gpg verify that
against the master key and if its good, import it.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Subscribing Steve and Colin to get their feedback as well.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1013681
Title:
make apt-key net-update secure
To manage notifications about this bug go to:
As I recall, we didn't go this route the first time around because we
wanted to avoid changing the server-side interface. But if trying to
check this securely is a case of being nibbled to death by cats, I think
it makes sense to revisit this. So I have no objection to using a gpg-
verified
Here is a alternative approach for the net-update:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/comments/2
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1013681
Title:
make apt-key
** Branch linked: lp:~mvo/apt/lp1013681
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1013681
Title:
make apt-key net-update secure
To manage notifications about this bug go to:
20 matches
Mail list logo