[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#642480: reopened as cryptographic validation used in apt-key net-update is broken

Hi Julian,

* Julian Andres Klode <jak@debian.org> wrote:
> On Fri, Sep 23, 2011 at 09:16:03AM +0200, Alexander Neumann wrote:
> > I've reopened this bug and set the severity to normal in order to keep track
> > on the code this bug pointed at.
> >
> > The cryptographic verification code used in the function called by apt-key
> > net-update is utterly broken.  The situation is not improved by replacing
> > "list-sigs" to "check-sigs", because still the key id strings (which are
> > absurdly short and easy to forge) are used to "verify" that a key has been
> > signed by another key.  This is broken.
> >
> > This bug may be closed either when the code in apt-key has been replaced so
> > that the signatures are checked or the code is removed completely.

In retrospect, I think my tone was too harsh when writing this, please
accept my apologies.

> I don't see a reason to have a bug open for code which we do not use. The
> only people affected by this are downstream distributions, and the fix
> will get in via Ubuntu once its there. Bugs in disabled code are no
> bugs. And we already have a bug in Launchpad, right were people are
> affected by this. And the APT developers are subscribed to both bug
> trackers. If at all, that's a minor documentation issue for us.

Hm.  I disagree. I still think this bug should remain open until the code is
properly fixed and has entered unstable, but I will accept your decision.

What do you propose?

- Alexander

Attachment: pgp69Pu8Qs1VY.pgp
Description: PGP signature

Reply to: