Bug#783497: [chdist] copies apt keys, fails to update keys, enables removed 1024bit keys by default
Helmut Grohne
helmut at subdivi.de
Mon Apr 27 14:33:27 UTC 2015
Package: devscripts
Version: 2.15.3
Severity: wishlist
File: /usr/bin/chdist
Tags: security
When creating a tree with chdist, it copies the keys from the
debian-archive-keyring package. After a while the keys are recycled, but
chdist still uses the old ones it copied ages ago and starts to fail
suddenly after a stable release.
Since debian-archive-keyring is almost essential (you must remove apt to
get rid of it), it seems to make more sense to symlink those keyrings
and have them updated when debian-archive-keyring updates.
Furthermore, why does chdist copy the debian-archive-removed-keys.gpg?
The purpose of that file is to get keys untrusted, but chdist makes apt
trust them nonetheless. I question the utility of adding them.
Helmut
More information about the devscripts-devel
mailing list