Historical bug tracker for the Pacman package manager.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
FS#73705 - Key ID downgrade when unable to fetch keys
Attached to Project:
Pacman
Opened by Allan McRae (Allan) - Thursday, 10 February 2022, 01:26 GMT
Last edited by Allan McRae (Allan) - Friday, 23 December 2022, 13:59 GMT
Opened by Allan McRae (Allan) - Thursday, 10 February 2022, 01:26 GMT
Last edited by Allan McRae (Allan) - Friday, 23 December 2022, 13:59 GMT
|
DetailsWe are doing a keyid downgrade when we are unable to fetch keys. It should probably be noted that 0xshort keyid are trivially bruteforced and any downgrades could imply that we are fetching malicious key.
Again, how bad this is probably depends on the trust model of the distro. Arch should be fine. Not sure if there is a good solution here. Do we still have the keyid lookup issue for subkeys problem with the recent ubuntu keyservers? |
This task depends upon