Package: ubuntu-archive-keyring Version: 2016.05.13-1 Severity: normal Tags: security X-Debbugs-Cc: [email protected]
The upgrade to 2016.05.13-1 added the Ubuntu archive keyring to the list of keyrings trusted by APT on my system. This is not what I expected when I've installed the package initially, given: Description: GnuPG keys of the Ubuntu archive The Ubuntu project digitally signs its Release files. This package contains the archive keys used for that. … I did not expect that it would add trust anchors to my APT configuration. What I expected is that I would get the archive keys installed somewhere in /usr/share (which is the case), in a way that does not affect my system's behavior (which isn't the case anymore). I've noticed this change of behavior only thanks to apt-listchanges, and I suspect that many users simply won't notice it, and won't be aware that this package has that effect on their system, which can sometimes violate security policies they need to comply with (it's precisely the case for me). I would suggest that this change is simply reverted. Now, if you prefer to keep it, then I would kindly ask that the package description is adjusted accordingly, and that a NEWS.Debian entry documents this important change. Thanks in advance! Cheers, -- intrigeri

