Your message dated Tue, 30 May 2006 13:38:13 -0400 with message-id <20060530173813.GA16735@kitenet.net> and subject line closing this bug has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt: Key error at year turnover resembles security problem, and may represent one
- From: Joshua Rodman <jrodman@debbugs.spamportal.net>
- Date: Tue, 3 Jan 2006 10:58:28 -0800
- Message-id: <20060103185828.GA1607@ducker.org>
Package: apt Version: 0.6.43 Severity: normal Since the year has turned over, apt-get update now produces the error: [...] Reading package lists... Done W: GPG error: http://http.us.debian.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F W: GPG error: http://http.us.debian.org unstable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F Because the release key is not provided via an automated mechanism. Leaveing aside that the means for getting a new key are not documented in /usr/share/doc/apt or apt-doc, there is the additional issue that undocumented, this looks like the debian servers may be compromised. Secondarily, the recipes I can find for updating to the new release key do not make clear whether the new release key is verifiable in any way. I am worried that debian may be violating its trust model once a year. -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "i386"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Default-Release "testing"; APT::Cache-Limit "10000000"; Dir "/"; Dir::State "var/lib/apt/"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::userstatus "status.user"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt/"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt/"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::vendorlist "vendors.list"; Dir::Etc::vendorparts "vendors.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::dpkg "/usr/bin/dpkg"; DPkg ""; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; DPkg::Post-Invoke ""; DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi"; DPkg::Post-Invoke:: "if [ -x /usr/sbin/localepurge ] && [ $(ps w -p $PPID | grep -c remove) != 1 ]; then /usr/sbin/localepurge; else exit 0; fi"; Acquire ""; Acquire::http ""; Acquire::http::Pipeline-Depth "3"; -- /etc/apt/preferences -- Package: * Pin: release a=testing Pin-Priority: 900 Package: * Pin: release a=etch Pin-Priority: 900 Package: * Pin: release o=Debian Pin-Priority: -10 -- /etc/apt/sources.list -- deb file:/var/cache/apt-build/repository apt-build main # Testing sources deb http://http.us.debian.org/debian/ testing main contrib non-free # sonic mirrors binaries (slowly!!!) #deb ftp://ftp.sonic.net/mirrors/debian/ testing main contrib non-free deb-src http://http.us.debian.org/debian/ testing main contrib non-free #deb http://non-us.debian.org/debian-non-US testing/non-US main contrib non-free #deb-src http://non-us.debian.org/debian-non-US testing/non-US main contrib non-free # Unstable sources deb http://http.us.debian.org/debian/ unstable main non-free contrib #deb ftp://ftp.sonic.net/mirrors/debian/ unstable main contrib non-free deb-src http://http.us.debian.org/debian/ unstable main non-free contrib #deb http://non-us.debian.org/debian-non-US unstable/non-US main contrib non-free #deb-src http://non-us.debian.org/debian-non-US unstable/non-US main contrib non-free # Stable sources #deb http://http.us.debian.org/debian stable main contrib non-free #deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free #deb http://security.debian.org stable/updates main contrib non-free #deb-src http://http.us.debian.org/debian stable main contrib # Special sources # java ? # broke one day #deb ftp://ftp.tux.org/pub/java/debian unstable main non-free #deb ftp://ftp.tux.org/pub/java/debian testing main non-free #experimental UAE deb http://www.rcdrummond.net/uae sid main # various contraband deb ftp://ftp.nerim.net/debian-marillat/ etch main deb ftp://ftp.nerim.net/debian-marillat/ sid main # dotgnu # not using anymore #deb-src http://mentors.debian.net/debian unstable main #deb http://mentors.debian.net/debian unstable main # cross compilers #deb http://debian.speedblue.org ./ # down # mrxvt, (some other stuff like libtorrent.. whatever) deb http://mayhq.org/deb/ ./ deb-src http://mayhq.org/deb/ ./ # xmms2 development versions # this shit is not working! host down #deb http://exodus.xmms.se/debian stable main #deb http://exodus.xmms.se/debian testing main -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-jsr Locale: LANG=C, LC_CTYPE=C (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US.iso88591) Versions of packages apt depends on: ii libc6 2.3.5-8 GNU C Library: Shared libraries an ii libgcc1 1:4.0.2-5 GCC support library ii libstdc++6 4.0.2-5 The GNU Standard C++ Library v3 apt recommends no packages. -- no debconf information
--- End Message ---
--- Begin Message ---
- To: 345823-done@bugs.debian.org
- Subject: closing this bug
- From: Joey Hess <joeyh@debian.org>
- Date: Tue, 30 May 2006 13:38:13 -0400
- Message-id: <20060530173813.GA16735@kitenet.net>
Version: 0.6.43.1 I don't think this bug needs to remain open, like I said before. If you disagree, feel free to reopen it. -- see shy joAttachment: signature.asc
Description: Digital signature
--- End Message ---