FS#73705 - Key ID downgrade when unable to fetch keys
Attached to Project:
Pacman
Opened by Allan McRae (Allan) - Thursday, 10 February 2022, 01:26 GMT
Last edited by Allan McRae (Allan) - Friday, 23 December 2022, 13:59 GMT
Opened by Allan McRae (Allan) - Thursday, 10 February 2022, 01:26 GMT
Last edited by Allan McRae (Allan) - Friday, 23 December 2022, 13:59 GMT
|
Details
We are doing a keyid downgrade when we are unable to fetch
keys. It should probably be noted that 0xshort keyid are
trivially bruteforced and any downgrades could imply that we
are fetching malicious key.
Again, how bad this is probably depends on the trust model of the distro. Arch should be fine. Not sure if there is a good solution here. Do we still have the keyid lookup issue for subkeys problem with the recent ubuntu keyservers? |
This task depends upon