Hi Julian, * Julian Andres Klode <jak@debian.org> wrote: > On Fri, Sep 23, 2011 at 09:16:03AM +0200, Alexander Neumann wrote: > > I've reopened this bug and set the severity to normal in order to keep track > > on the code this bug pointed at. > > > > The cryptographic verification code used in the function called by apt-key > > net-update is utterly broken. The situation is not improved by replacing > > "list-sigs" to "check-sigs", because still the key id strings (which are > > absurdly short and easy to forge) are used to "verify" that a key has been > > signed by another key. This is broken. > > > > This bug may be closed either when the code in apt-key has been replaced so > > that the signatures are checked or the code is removed completely. In retrospect, I think my tone was too harsh when writing this, please accept my apologies. > I don't see a reason to have a bug open for code which we do not use. The > only people affected by this are downstream distributions, and the fix > will get in via Ubuntu once its there. Bugs in disabled code are no > bugs. And we already have a bug in Launchpad, right were people are > affected by this. And the APT developers are subscribed to both bug > trackers. If at all, that's a minor documentation issue for us. Hm. I disagree. I still think this bug should remain open until the code is properly fixed and has entered unstable, but I will accept your decision. What do you propose? Regards, - Alexander
Attachment:
pgp88BqMfRIbc.pgp
Description: PGP signature