Re: APT public key updates?
On Sat, Jan 07, 2006 at 04:34:48PM +0000, Colin Watson wrote:
> On Thu, Jan 05, 2006 at 04:32:29PM -0800, Matt Zimmerman wrote:
> > On Fri, Jan 06, 2006 at 01:22:50AM +0100, Petter Reinholdtsen wrote:
> > > Isn't Ubuntu using the signed apt stuff? How are they handling the
> > > new archive keys?
> >
> > Ubuntu's apt package ships only the Ubuntu archive keyring, not the Debian
> > archive keyring, so no update is needed when Debian keys change.
>
> That doesn't mean we (Ubuntu) have solved the problem of how to rotate
> *our* keys in the event of a key compromise. (To my knowledge, we
> haven't.)
Petter's question was about the key which recently expired, not about a
hypothetical compromise.
That said, we do have a simplistic mechanism for handling key revocations
(as does Debian; it's in mainline apt). It is far from ideal, as there
isn't a means for establishing an independent trust path to the new key
(it'll be authenticated indirectly by the old key), but it has that flaw in
common with the old approach of downloading the key from a Debian web
server. Most users probably don't have a trust path to the keys used to
sign the archive keys.
--
- mdz
Reply to: