Debian Bug report logs - #345891
needs update for new archive key

version graph

Package: apt; Maintainer for apt is APT Development Team <deity@lists.debian.org>; Source for apt is src:apt.

Reported by: Joey Hess <joeyh@debian.org>

Date: Wed, 4 Jan 2006 04:18:01 UTC

Severity: serious

Tags: d-i

Merged with 345823, 345956, 346002, 347540

Found in version apt/0.6.43

Fixed in version 0.6.43.1

Done: Joey Hess <joeyh@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345891; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: needs update for new archive key
Date: Tue, 3 Jan 2006 23:07:37 -0500
[Message part 1 (text/plain, inline)]
Package: apt
Version: 0.6.43
Severity: serious
Tags: d-i

apt needs to be updated for this year's archive key which is apparently
the one at http://ftp-master.debian.org/ziyi_key_2006.asc

I'm tagging this bug d-i because not having the key up-to-date in apt
breaks new installations since apt doesn't work, and will begin breaking
d-i even worse once the old archive key expires.

FWIW, I think that the archive key should be split out into a new
package that can be updated more easily than apt, but for now a quick
fix is called for.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Merged 345823 345891. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 345823 345891 346002. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `serious'. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `serious'. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 345823 345891 345956 346002. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345891; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Michael Vogt <mvo@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #20 received at submit@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvo@debian.org>
To: Joey Hess <joeyh@debian.org>, 345891@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#345891: needs update for new archive key
Date: Thu, 5 Jan 2006 23:27:40 +0100
On Tue, Jan 03, 2006 at 11:07:37PM -0500, Joey Hess wrote:
> Package: apt
> Version: 0.6.43
> Severity: serious
> Tags: d-i

Thanks for your bugreport and sorry for my late reply.
 
> apt needs to be updated for this year's archive key which is apparently
> the one at http://ftp-master.debian.org/ziyi_key_2006.asc

The new key is added to my baz repository and it will be part of the
next (very soon) upload. 

> I'm tagging this bug d-i because not having the key up-to-date in apt
> breaks new installations since apt doesn't work, and will begin breaking
> d-i even worse once the old archive key expires.

The updated default key in apt means that new installs will be fine,
but we need a better system for upgrades (see below).

> FWIW, I think that the archive key should be split out into a new
> package that can be updated more easily than apt, but for now a quick
> fix is called for.

I think the same. My proposal is to create a new debain-server-keyring
[1] package that conatins:
/usr/share/keyrings/debian-archive-keyring.gpg
/usr/share/keyrings/debian-archive-removed-keys.gpg

and calls "apt-key update" in it's postinst. apt-key update will add
new keys from "debian-archive-keyring.gpg" via "apt-key add" and remove
keys in debian-archive-removed-keys.gpg via "apt-key del".

This way installing/updating the package will ensure that new keys are
added as required and obsolete keys can be removed. Because the keys
are part of a package and the package is covered with the trust-chain
there is no trust-chain violation.

If people are happy with my proposal I'll prepare and upload such a
package. 

Cheers,
 Michael

[1] I think we should create a new package and not use debian-keyring
because debian-keyring is pretty big.
-- 
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345891; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Michael Vogt <mvo@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345891; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #30 received at 345891@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Michael Vogt <mvo@debian.org>
Cc: 345891@bugs.debian.org
Subject: Re: Bug#345891: needs update for new archive key
Date: Thu, 5 Jan 2006 18:54:32 -0500
[Message part 1 (text/plain, inline)]
Thanks for following up on this..

Michael Vogt wrote:
> I think the same. My proposal is to create a new debain-server-keyring
> [1] package that conatins:
> /usr/share/keyrings/debian-archive-keyring.gpg
> /usr/share/keyrings/debian-archive-removed-keys.gpg
> 
> and calls "apt-key update" in it's postinst. apt-key update will add
> new keys from "debian-archive-keyring.gpg" via "apt-key add" and remove
> keys in debian-archive-removed-keys.gpg via "apt-key del".
> 
> This way installing/updating the package will ensure that new keys are
> added as required and obsolete keys can be removed. Because the keys
> are part of a package and the package is covered with the trust-chain
> there is no trust-chain violation.
> 
> If people are happy with my proposal I'll prepare and upload such a
> package. 

Yes, that sounds right to me.

The installer also needs a copy of the keyring. Currently we copy this
from the keyring shipped in apt at package build time, but it would be
much nicer if there were a udeb that only contained the keyring. Once
you create this package I can send a patch to also make it produce an
appropriate udeb.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345891; Package apt. Full text and rfc822 format available.

Acknowledgement sent to 345891@bugs.debian.org, Adeodato Simó <dato@net.com.org.es>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #35 received at 345891@bugs.debian.org (full text, mbox):

From: Adeodato Simó <dato@net.com.org.es>
To: Michael Vogt <mvo@debian.org>, 345891@bugs.debian.org
Subject: Re: Bug#345891: needs update for new archive key
Date: Fri, 6 Jan 2006 02:59:21 +0100
* Michael Vogt [Thu, 05 Jan 2006 23:27:40 +0100]:

> but we need a better system for upgrades (see below).

  Thanks for proposing this.

> I think the same. My proposal is to create a new debain-server-keyring

  Can I suggest that it's called debian-archive-keyring (or -keys)
  instead? "debian-server" sounds like "a debian server", while
  "debian-archive" sounds more (at least to me) like "the Debian
  Archive".

  Thanks,

-- 
Adeodato Simó                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
Man: Wow, that woman looks exactly the way Nina is going to look in
about ten years... Oh shit, it is Nina. Don't tell her what I said, okay?
                -- http://www.overheardinnewyork.com/archives/003086.html




Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345891; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Andrew Vaughan <ajv-lists@netspace.net.au>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #40 received at 345891@bugs.debian.org (full text, mbox):

From: Andrew Vaughan <ajv-lists@netspace.net.au>
To: 345891@bugs.debian.org
Subject: Re: Bug#345891: needs update for new archive key
Date: Fri, 6 Jan 2006 17:21:04 +1100
Hi

Further things to consider.  Apologies if I these have already been handled.

1. Dec 2006 Etch releases.  Jill downloads and burns etch install cd.
   Jan 2007, old archive key expires, new archive key issued.
   Jan 2008, old archive key expires, new archive key issued.
   Mar 2008, Jill tries to install from the cd created in Dec 2006.  

   Will that work?

   Will that work if all debian-archive-keys were revoked/replaced in
   mid 2007?

2. security.d.o will (presumably) also be signed. 
   Will that be using the same key?

   Using separate keys might make updating after a key compromise simpler.
   (You could use the not-compromised key to sign both package lists
   temporarily).

Andrew

PS I also prefer debian-archive-keyring/debian-archive-keys.



Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345891; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #45 received at 345891@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Andrew Vaughan <ajv-lists@netspace.net.au>, 345891@bugs.debian.org
Subject: Re: Bug#345891: needs update for new archive key
Date: Thu, 5 Jan 2006 23:35:22 -0800
[Message part 1 (text/plain, inline)]
On Fri, Jan 06, 2006 at 05:21:04PM +1100, Andrew Vaughan wrote:
> Hi

> Further things to consider.  Apologies if I these have already been handled.

> 1. Dec 2006 Etch releases.  Jill downloads and burns etch install cd.
>    Jan 2007, old archive key expires, new archive key issued.
>    Jan 2008, old archive key expires, new archive key issued.
>    Mar 2008, Jill tries to install from the cd created in Dec 2006.  

>    Will that work?

>    Will that work if all debian-archive-keys were revoked/replaced in
>    mid 2007?

The ISO images are generated on a different machine from ftp-master, with
their own Release files which must be signed by a separate key.  The policy
for those keys (and for keys used for signing stable in general?) probably
needs to be separate from that used on the ftp archive.

Anyway, if by "install" you mean "fresh install", rather than just "install
some packages from this CD", the keys contained *on* the CD are ultimately
trusted (as is the rest of the software on the CD at time of install,
basically) at least until the point when you add some external apt source
that pulls revocation certificates from the network.  So doing an install
from the CD should work fine, as long as the CD-signing key has no
expiration date or one sufficiently far in the future to cover our
worst-case needs for etch, or we provide some override in the CD to allow
installing with an ancient signature.  Either way, I think ISOs pose much
less of a problem for us than ftp apt sources for stable.

> 2. security.d.o will (presumably) also be signed. 
>    Will that be using the same key?

I don't see any good reason to use the same key, given that they're on
separate systems.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345891; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #50 received at 345891@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 345891@bugs.debian.org
Cc: Joey Hess <joeyh@debian.org>
Subject: Re: Bug#345891: needs update for new archive key
Date: Fri, 6 Jan 2006 06:44:05 +0100
> I think the same. My proposal is to create a new debain-server-keyring
> [1] package that conatins:
> /usr/share/keyrings/debian-archive-keyring.gpg
> /usr/share/keyrings/debian-archive-removed-keys.gpg


I add my voice here: this seems fair by me (with the name change
suggested by dato).

However, this raises an interesting question: who will maintain this
package?

My feeling is that it should be in the hands of the ftpmaster
team. This would give the guarantee of reactivity when updates are due
(hopefully once a year).





Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345891; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #55 received at 345891@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Steve Langasek <vorlon@debian.org>, 345891@bugs.debian.org
Cc: Andrew Vaughan <ajv-lists@netspace.net.au>
Subject: Re: Bug#345891: needs update for new archive key
Date: Fri, 6 Jan 2006 09:56:22 -0500
[Message part 1 (text/plain, inline)]
Steve Langasek wrote:
> The ISO images are generated on a different machine from ftp-master, with
> their own Release files which must be signed by a separate key.  The policy
> for those keys (and for keys used for signing stable in general?) probably
> needs to be separate from that used on the ftp archive.

The CDs arn't signed at all right now, but for all CDs except for full
CDs (netinst, businesscard), if the archive key built into the CD is
expired, the install will probably fail.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#345891; Package apt. Full text and rfc822 format available.

Acknowledgement sent to Michael Vogt <mvo@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. Full text and rfc822 format available.

Message #60 received at 345891@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvo@debian.org>
To: 345891@bugs.debian.org, Adeodato Simó <dato@net.com.org.es>
Subject: Re: Bug#345891: needs update for new archive key
Date: Tue, 10 Jan 2006 10:06:31 +0100
On Fri, Jan 06, 2006 at 02:59:21AM +0100, Adeodato Simó wrote:
> * Michael Vogt [Thu, 05 Jan 2006 23:27:40 +0100]:
> > but we need a better system for upgrades (see below).
> 
>   Thanks for proposing this.
> 
> > I think the same. My proposal is to create a new debain-server-keyring
> 
>   Can I suggest that it's called debian-archive-keyring (or -keys)
>   instead? "debian-server" sounds like "a debian server", while
>   "debian-archive" sounds more (at least to me) like "the Debian
>   Archive".

Thanks everyone for their opinion. 

I uploaded a new debian-archive-keyring package a couple of minutes
ago that will work with apt-key update (and calls it automatically
after it was installed). It will also build a udeb (as suggested by
Joey Hess, thanks to Colin Watson).

About maintainership of this package, I'm happy to maintain it for
now, but I'm equally happy to give it away to the ftp-massters.

This package solves the problem for scheduled key rollovers (where we
sign with both new and old key for a certain time), but it uses the
old key to verify the package. This means that it's not suitable
against a key compromise of the archive key. How to deal with this
scenario needs to be discussed further. 

Cheers,
 Michael

-- 
Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo



Merged 345823 345891 345956 346002 347540. Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 08:57:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 19:04:16 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.