Pacman

Historical bug tracker for the Pacman package manager.

The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues

This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
Tasklist

FS#73705 - Key ID downgrade when unable to fetch keys

Attached to Project: Pacman
Opened by Allan McRae (Allan) - Thursday, 10 February 2022, 01:26 GMT
Last edited by Allan McRae (Allan) - Friday, 23 December 2022, 13:59 GMT
Task Type Bug Report
Category General
Status Closed
Assigned To Allan McRae (Allan)
Architecture All
Severity Medium
Priority Normal
Reported Version 6.0.1
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

We are doing a keyid downgrade when we are unable to fetch keys. It should probably be noted that 0xshort keyid are trivially bruteforced and any downgrades could imply that we are fetching malicious key.

Again, how bad this is probably depends on the trust model of the distro. Arch
should be fine. Not sure if there is a good solution here. Do we still have the keyid lookup issue for subkeys problem with the recent ubuntu keyservers?
This task depends upon

Closed by  Allan McRae (Allan)
Friday, 23 December 2022, 13:59 GMT
Reason for closing:  Upstream

Loading...