Whilst poking all of this a while back, my thought was to use inline signed keyring snippet which is downloaded probably with the apt-helper, validated (well gpgv decrypt) and stored as /etc/apt/trusted.gpg.d/netupdate.gpg. Since we no longer need to touch /etc/apt/trusted.gpg keyring. This doesn't even need to live in apt-key netupdate, and could be just a timer unit. But i guess having this simple logic in apt-key script may make sense.
Note that netupdate has been disabled for a long while now, thus any reintroduction will need security team review before we enable. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1013681 Title: make apt-key net-update secure Status in apt package in Ubuntu: Triaged Status in apt package in Debian: New Bug description: Attacks are being performed against the 'apt-key net-update' command and it is not considered secure. While it is in the process of being disabled in Ubuntu, it should be improved to be secure. References: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472 https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128 https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013639 http://seclists.org/fulldisclosure/2011/Sep/222 http://seclists.org/fulldisclosure/2012/Jun/267 http://seclists.org/fulldisclosure/2012/Jun/271 http://seclists.org/fulldisclosure/2012/Jun/289 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013681/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
