On Fri, Sep 23, 2011 at 09:16:03AM +0200, Alexander Neumann wrote: > Hi, > > I've reopened this bug and set the severity to normal in order to keep track > on the code this bug pointed at. > > The cryptographic verification code used in the function called by apt-key > net-update is utterly broken. The situation is not improved by replacing > "list-sigs" to "check-sigs", because still the key id strings (which are > absurdly short and easy to forge) are used to "verify" that a key has been > signed by another key. This is broken. > > This bug may be closed either when the code in apt-key has been replaced so > that the signatures are checked or the code is removed completely. I don't see a reason to have a bug open for code which we do not use. The only people affected by this are downstream distributions, and the fix will get in via Ubuntu once its there. Bugs in disabled code are no bugs. And we already have a bug in Launchpad, right were people are affected by this. And the APT developers are subscribed to both bug trackers. If at all, that's a minor documentation issue for us. -- Julian Andres Klode - Debian Developer, Ubuntu Member See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
Attachment:
pgp3PsC5EhLlT.pgp
Description: PGP signature