Ubuntu
apt package

  1. Bug #356012
  2. Comment #1

Comment 1 for bug 356012

Revision history for this message
Michael Vogt (mvo) wrote : Re: [SECURITY] APT does not properly handle expired or revoked key signatures

I looked at the branch that Michael posted and this is a no-go for a security update for stable because:

a) it adds new strings
b) it changes config option names:
- string pubringpath = _config->Find("APT::GPGV::TrustedKeyring", "/etc/apt/trusted.gpg");
+ string pubringpath = _config->Find("APT::gpg::TrustedKeyring", "/etc/apt/trusted.gpg");

Currently I believe this is a problem with gpgv and should adressed there (also there is some argument
about this given that the man page for gpgv states that it will trust any key).