On Tue, Mar 18, 2025 at 09:43:33AM +0100, Uwe Kleine-König wrote:
Hello,On Tue, Mar 18, 2025 at 02:20:26AM +0100, Guillem Jover wrote:It would be nice to stop accepting new updates that regress on this front. And ideally to start a new campaign like had been done in the past for other issues about weak keys/certificates.Something like this might implement the "stop accepting new updates" part. It's a bit more strict than suggested because it refuses all updates if the new key is broken.
The other problem is that "sq cert" is not available in bookworm. We have a requirement that we can build the keyring under a machine running stable. Recent versions of sequoia can't even be built on bookworm machine (they want a newer Rust compiler), so unfortunately we're not going to be able to build that sort of check into our pipelines until trixie is released and deployed in the right places.
I see Guillem has already taken this to -devel. While I agree we want to get rid of SHA-1 self-signatures on keys, I'm not clear on exactly what problem this is causing with new dpkg, given that I'd expect the signatures it cares about are from the unaffected role keys?
J. -- ... Sleep? Isn't that some inferior replacement for caffeine?
signature.asc
Description: PGP signature
