On Wed, Jan 24, 2024, Michael Hudson-Doyle wrote: > On Tue, 23 Jan 2024 at 02:31, Jeremy Bícha <jeremy.bi...@canonical.com> > wrote: > > > On Mon, Jan 22, 2024 at 7:36 AM Dimitri John Ledkov > > <dimitri.led...@canonical.com> wrote: > > > > Sadly shipping this in 24.04 means that PPAs owned by user > > > > accounts created prior to 2014-03-11[3] until the key rotation > > > > mechanism(s) [4][5] have been implemented. > > > > > > > > > > I do wonder how many active old PPA owners remain in action. > > > > > > And if we can reset per-series signing keys on all of those for any > > > new PPAs, and noble series (meaning single signe, new key for noble+). > > > > > > I have personally created a new team for myself, only added myself to > > > be a member of said team, to gain access to PPAs signed with 4k RSA > > > key, as I can no longer use my own ppas. I guess I should ask to > > > delete them all, and request removal of the signing key to gain back > > > personal PPAs with 4k signing key. > > > > Many of Ubuntu's core teams are older than 2014. This includes > > Desktop, Checkbox, Kernel, Pythoneers, Security, Mozilla, LibreOffice, > > Kubuntu, Lubuntu. > > > > I suspect that this change would break most of the heaviest used PPAs. > > We need a coordinated transition. > > > > I agree with Jeremy that we can't just blithely assume all PPAs created > before 2014 are no longer much used. > > Unfortunately I don't know what that means for a way forward. Clearly 1024R > keys should be retired. From one angle, I can imagine a scheme were a repo > is dual-signed and signs the new key with the old to convince apt to update > it but from another this seems impossible (and clearly very unlikely to > land before noble GA).
We know of at least one active PPA with a 1024-bit key: https://launchpad.net/~videolan/+archive/ubuntu/master-daily . On the other hand, we can probably imagine there are only a few of them. How do we do a large-scale analysis however? Actually, I think I spotted something in launchpadlib but I haven't used that library yet and would have to spend time discovering it. -- Adrien -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
