[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-devel
Subject: Re: New requirements for APT repository signing
From: Julian Andres Klode <jak () debian ! org>
Date: 2024-03-01 8:55:37
Message-ID: 20240301095215.GA2622066 () debian ! org
[Download RAW message or body]
On Thu, Feb 29, 2024 at 12:29:40AM +0000, Phil Wyett wrote:
> On Wed, 2024-02-28 at 20:20 +0100, Julian Andres Klode wrote:
> > APT 2.7.13 just landed in unstable and with GnuPG 2.4.5 installed,
> > or 2.4.4 with a backport from the 2.4 branch, requires repositories
> > to be signed using one of
> >
> > - RSA keys of at least 2048 bit
> > - Ed25519
> > - Ed448
> >
> > Any other keys will cause warnings. These warnings will become
> > errors in March as we harden it up for the Ubuntu 24.04 release,
> > which was the main driver to do the change *now*.
> >
> > If you operate third-party repositories using different key
> > algorithms, now is your time to migrate before you get hit
> > with an error.
> >
> > For the Ubuntu perspective, feel free to check out the discourse
> > post:
> >
> > https://discourse.ubuntu.com/t/new-requirements-for-apt-repository-signing-in-24-04/42854
>
> Hi,
>
> Could I be pointed to the public conversation, any plans or bug reports related to this
> update and transition etc. for affected users?
Some more information are in the GnuPG feature request:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042391 (July 2023)
https://dev.gnupg.org/T6946 (Jan 2024)
Original announcement at
https://lists.ubuntu.com/archives/ubuntu-devel/2024-January/042883.html
Since then revised after rounds of feedback on internal specifications
and meetings.
Not sure what transition you are looking for, that's up for you
repository owners to figure out.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic