Bug#345823: marked as done (apt: Key error at year turnover resembles security problem, and may represent one)

To: Joey Hess <joeyh@debian.org>
Subject: Bug#345823: marked as done (apt: Key error at year turnover resembles security problem, and may represent one)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 30 May 2006 10:48:58 -0700
Message-id: <[🔎] handler.345823.D345823.11490106656612.ackdone@bugs.debian.org>
References: <20060530173813.GA16735@kitenet.net> <20060103185828.GA1607@ducker.org>

Your message dated Tue, 30 May 2006 13:38:13 -0400
with message-id <20060530173813.GA16735@kitenet.net>
and subject line closing this bug
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt: Key error at year turnover resembles security problem, and may represent one
From: Joshua Rodman <jrodman@debbugs.spamportal.net>
Date: Tue, 3 Jan 2006 10:58:28 -0800
Message-id: <20060103185828.GA1607@ducker.org>

Package: apt
Version: 0.6.43
Severity: normal


Since the year has turned over, apt-get update now produces the error: 
[...]
Reading package lists... Done
W: GPG error: http://http.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F
W: GPG error: http://http.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

Because the release key is not provided via an automated mechanism.
Leaveing aside that the means for getting a new key are not documented
in /usr/share/doc/apt or apt-doc, there is the additional issue that
undocumented, this looks like the debian servers may be compromised.

Secondarily, the recipes I can find for updating to the new release key
do not make clear whether the new release key is verifiable in any way.
I am worried that debian may be violating its trust model once a year.

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Default-Release "testing";
APT::Cache-Limit "10000000";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi";
DPkg::Post-Invoke:: "if [ -x /usr/sbin/localepurge ] && [ $(ps w -p $PPID | grep -c remove) != 1 ]; then /usr/sbin/localepurge; else exit 0; fi";
Acquire "";
Acquire::http "";
Acquire::http::Pipeline-Depth "3";

-- /etc/apt/preferences --

Package: *
Pin: release a=testing
Pin-Priority: 900

Package: *
Pin: release a=etch
Pin-Priority: 900

Package: *
Pin: release o=Debian
Pin-Priority: -10


-- /etc/apt/sources.list --

deb file:/var/cache/apt-build/repository apt-build main
# Testing sources
deb http://http.us.debian.org/debian/ testing main contrib non-free
# sonic mirrors binaries (slowly!!!)
#deb ftp://ftp.sonic.net/mirrors/debian/ testing main contrib non-free
deb-src http://http.us.debian.org/debian/ testing main contrib non-free


#deb http://non-us.debian.org/debian-non-US testing/non-US main contrib non-free
#deb-src http://non-us.debian.org/debian-non-US testing/non-US main contrib non-free

# Unstable sources
deb http://http.us.debian.org/debian/ unstable main non-free contrib
#deb ftp://ftp.sonic.net/mirrors/debian/ unstable main contrib non-free
deb-src http://http.us.debian.org/debian/ unstable main non-free contrib


#deb http://non-us.debian.org/debian-non-US unstable/non-US main contrib non-free
#deb-src http://non-us.debian.org/debian-non-US unstable/non-US main contrib non-free

# Stable sources
#deb http://http.us.debian.org/debian stable main contrib non-free
#deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free
#deb http://security.debian.org stable/updates main contrib non-free
#deb-src http://http.us.debian.org/debian stable main contrib


# Special sources

# java ?
# broke one day
#deb ftp://ftp.tux.org/pub/java/debian unstable main non-free
#deb ftp://ftp.tux.org/pub/java/debian testing main non-free

#experimental UAE
deb http://www.rcdrummond.net/uae sid main

# various contraband
deb ftp://ftp.nerim.net/debian-marillat/ etch main
deb ftp://ftp.nerim.net/debian-marillat/ sid main


# dotgnu
# not using anymore
#deb-src http://mentors.debian.net/debian unstable main
#deb http://mentors.debian.net/debian unstable main

# cross compilers
#deb http://debian.speedblue.org ./
# down

# mrxvt, (some other stuff like libtorrent.. whatever)
deb http://mayhq.org/deb/ ./
deb-src http://mayhq.org/deb/ ./

# xmms2 development versions
# this shit is not working! host down
#deb http://exodus.xmms.se/debian stable main
#deb http://exodus.xmms.se/debian testing main


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-jsr
Locale: LANG=C, LC_CTYPE=C (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US.iso88591)

Versions of packages apt depends on:
ii  libc6                         2.3.5-8    GNU C Library: Shared libraries an
ii  libgcc1                       1:4.0.2-5  GCC support library
ii  libstdc++6                    4.0.2-5    The GNU Standard C++ Library v3

apt recommends no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 345823-done@bugs.debian.org

Subject: closing this bug

From: Joey Hess <joeyh@debian.org>

Date: Tue, 30 May 2006 13:38:13 -0400

Message-id: <20060530173813.GA16735@kitenet.net>
Version: 0.6.43.1

I don't think this bug needs to remain open, like I said before. If you
disagree, feel free to reopen it.

-- 
see shy jo
Attachment: signature.asc
Description: Digital signature

--- End Message ---

Reply to:

Prev by Date: Bug#345891: marked as done (needs update for new archive key)
Next by Date: Bug#346002: marked as done (apt: GPG error when updating)
Previous by thread: Bug#345891: marked as done (needs update for new archive key)
Next by thread: Bug#346002: marked as done (apt: GPG error when updating)
Index(es):
- Date
- Thread