> Hi,
>
> we just noticed again that we are still trusting 1024R keys for
> signing repositories in APT, arguably because we do not have a
> means to tell gpgv the minimum key size.
>
> While the upstream bug[0] is being worked on,
> I have written a hack[1] that - if APT_SIGNING_REQUIREMENTS_HACK
> environment variable is set - makes gpgv error out on keys smaller
> than 2048R and warn on keys smaller than 3072R (following the
> current OpenPGP draft size length requirements, 3072 is a SHOULD,
> 2048 a MUST).
>
> I have also written code in APT to actually parse GPG error and
> warning status messages, and set the environment variable.[2]
>
> Sadly shipping this in 24.04 means that PPAs owned by user
> accounts created prior to 2014-03-11[3] until the key rotation
> mechanism(s) [4][5] have been implemented.
I think there is a word missing in the above paragraph. What
specifically will happen to PPAs owned by user accounts created prior to
2014-03-11?
Thanks,
--
Brian Murray
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
