Package: ubuntu-archive-keyring
Version: 2016.05.13-1
Severity: normal
Tags: security
X-Debbugs-Cc: [email protected]

The upgrade to 2016.05.13-1 added the Ubuntu archive keyring to the
list of keyrings trusted by APT on my system. This is not what
I expected when I've installed the package initially, given:

  Description: GnuPG keys of the Ubuntu archive
   The Ubuntu project digitally signs its Release files. This package
   contains the archive keys used for that.

… I did not expect that it would add trust anchors to my APT
configuration. What I expected is that I would get the archive keys
installed somewhere in /usr/share (which is the case), in a way that
does not affect my system's behavior (which isn't the case anymore).

I've noticed this change of behavior only thanks to apt-listchanges,
and I suspect that many users simply won't notice it, and won't be
aware that this package has that effect on their system, which can
sometimes violate security policies they need to comply with (it's
precisely the case for me).

I would suggest that this change is simply reverted. Now, if you
prefer to keep it, then I would kindly ask that the package
description is adjusted accordingly, and that a NEWS.Debian entry
documents this important change.

Thanks in advance!

Cheers,
--
intrigeri

Reply via email to