> On Tue, 23 Jan 2024 at 02:31, Jeremy Bícha <jeremy.bicha@canonical.com>
> wrote:
>
> > On Mon, Jan 22, 2024 at 7:36 AM Dimitri John Ledkov
> > <dimitri.ledkov@canonical.com> wrote:
> > > > Sadly shipping this in 24.04 means that PPAs owned by user
> > > > accounts created prior to 2014-03-11[3] until the key rotation
> > > > mechanism(s) [4][5] have been implemented.
> > > >
> > >
> > > I do wonder how many active old PPA owners remain in action.
> > >
> > > And if we can reset per-series signing keys on all of those for any
> > > new PPAs, and noble series (meaning single signe, new key for noble+).
> > >
> > > I have personally created a new team for myself, only added myself to
> > > be a member of said team, to gain access to PPAs signed with 4k RSA
> > > key, as I can no longer use my own ppas. I guess I should ask to
> > > delete them all, and request removal of the signing key to gain back
> > > personal PPAs with 4k signing key.
> >
> > Many of Ubuntu's core teams are older than 2014. This includes
> > Desktop, Checkbox, Kernel, Pythoneers, Security, Mozilla, LibreOffice,
> > Kubuntu, Lubuntu.
> >
> > I suspect that this change would break most of the heaviest used PPAs.
> > We need a coordinated transition.
> >
>
> I agree with Jeremy that we can't just blithely assume all PPAs created
> before 2014 are no longer much used.
>
> Unfortunately I don't know what that means for a way forward. Clearly 1024R
> keys should be retired. From one angle, I can imagine a scheme were a repo
> is dual-signed and signs the new key with the old to convince apt to update
> it but from another this seems impossible (and clearly very unlikely to
> land before noble GA).
We know of at least one active PPA with a 1024-bit key:
https://launchpad.net/~videolan/+archive/ubuntu/master-daily .
On the other hand, we can probably imagine there are only a few of them.
How do we do a large-scale analysis however? Actually, I think I spotted
something in launchpadlib but I haven't used that library yet and would
have to spend time discovering it.
--
Adrien
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
