[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-devel
Subject:    Re: New requirements for APT repository signing
From:       Sune Vuorela <nospam () vuorela ! dk>
Date:       2024-03-04 7:47:08
Message-ID: us3u9s$b30$1 () ciao ! gmane ! io
[Download RAW message or body]

On 2024-03-03, RL <richard.lewis.debian@googlemail.com> wrote:
> It does - but also makes me wonder: is this going to affect Debian users
> with 3rd party repositories when they upgrade to trixie? (or is that not
> yet known?)

In theory. I don't know if there are any statistics on 'popular'
3rdparty repositories and their keys. But assuming they're doing key
rolls at 5-10 years intervals or less, it should be okay. 
Or just if the 3rdparty repository doesn't have decade(s) long history.

> (release-notes do say to remove all 3rd party packages before upgrades
> but i suspect that is ignored: helpful to provide a heads-up anyway)

But that doesn't remove the old imported keys from the keyring. Which I
guess is the main issue is a combination of things:
 - People never reinstall their system
 - Someone 10 years ago added a now insecure key to their apt and forgot about it.
 - Modern hardware might be able to in the not too distant future
   recreate matching keys...
Even if said repository is now dead and reoved from the keyring. If just
one of those were not valid, we could probably keep ignoring the issue. 

/Sune

[prev in list] [next in list] [prev in thread] [next in thread]