Dodging Bullets With Debian GNU/Linux

A recent bug reported in Ubuntu GNU/Linux is that apt-key fails to properly check the package-signing keys downloaded from an Ubuntu repository. Debian has the same faulty code but thankfully it is disabled.

On a Debian GNU/Linux system:
grep URI /usr/bin/apt-key
ARCHIVE_KEYRING_URI=””
#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg
# update the current archive signing keyring from a network URI
if [ -z “$ARCHIVE_KEYRING_URI” ]; then
(cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI)

On an Ubuntu GNU/Linux system:
grep URI /usr/bin/apt-key
ARCHIVE_KEYRING_URI=http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
# update the current archive signing keyring from a network URI
if [ -z “$ARCHIVE_KEYRING_URI” ]; then
(cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI)

This time, Debian got it right. Now the Ubuntu guys are likely going to have to wash all the keys… in systems… in backups of systems …

Thanks to Georgi Guninski for discovering this and doing the right thing.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

2 Responses to Dodging Bullets With Debian GNU/Linux

  1. Thanks. Fixed it. It is late.

  2. D-G says:

    Both code excerpts are the same. Too busy watching for explosions from that satellite in Redmond?

Leave a Reply