On Thu, Jan 18, 2024 at 07:01:48PM +0100, Julian Andres Klode wrote: > Hi, > > we just noticed again that we are still trusting 1024R keys for > signing repositories in APT, arguably because we do not have a > means to tell gpgv the minimum key size. > > While the upstream bug[0] is being worked on, > I have written a hack[1] that - if APT_SIGNING_REQUIREMENTS_HACK > environment variable is set - makes gpgv error out on keys smaller > than 2048R and warn on keys smaller than 3072R (following the > current OpenPGP draft size length requirements, 3072 is a SHOULD, > 2048 a MUST). > > I have also written code in APT to actually parse GPG error and > warning status messages, and set the environment variable.[2] > > Sadly shipping this in 24.04 means that PPAs owned by user > accounts created prior to 2014-03-11[3] until the key rotation > mechanism(s) [4][5] have been implemented.
I think there is a word missing in the above paragraph. What specifically will happen to PPAs owned by user accounts created prior to 2014-03-11? Thanks, -- Brian Murray -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
