FS#73705 : Key ID downgrade when unable to fetch keys

FS#73705 - Key ID downgrade when unable to fetch keys

Attached to Project: Pacman
Opened by Allan McRae (Allan) - Thursday, 10 February 2022, 01:26 GMT
Last edited by Allan McRae (Allan) - Friday, 23 December 2022, 13:59 GMT

Task Type	Bug Report
Category	General
Status	Closed
Assigned To	Allan McRae (Allan)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version	6.0.1
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

We are doing a keyid downgrade when we are unable to fetch keys. It should probably be noted that 0xshort keyid are trivially bruteforced and any downgrades could imply that we are fetching malicious key.

Again, how bad this is probably depends on the trust model of the distro. Arch
should be fine. Not sure if there is a good solution here. Do we still have the keyid lookup issue for subkeys problem with the recent ubuntu keyservers?

This task depends upon

Closed by Allan McRae (Allan)
Friday, 23 December 2022, 13:59 GMT
Reason for closing: Upstream

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#73705 - Key ID downgrade when unable to fetch keys

Details

Loading...