Control: clone -1 -2 Control: reassign -2 apt Control: tag -1 wontfix
On Wed, Sep 11, 2024 at 07:27:18PM +0200, Paride Legovini wrote: > control: tags -1 + upstream > > > On Wed, 21 Aug 2024 Holger Levsen <hol...@layer-acht.org> wrote: > > On Tue, Jul 30, 2024 at 07:55:51PM +0900, Paride Legovini wrote: > > > Well, in my case using `gpgv-sq -vv` clarified: > > > > > > gpgv: Signature made Tue Jul 30 07:09:17 2024 +09:00 > > > gpgv: using RSA key > > > 0AB215679C571D1C8325275B9BDB3D89CE49EC21 > > > gpgv: Can't check signature: Bad public key > > > Signing key on 0AB215679C571D1C8325275B9BDB3D89CE49EC21 is not bound: > > > gpgv: error: No binding signature at time 2024-07-29T22:09:17Z > > > gpgv: because: Policy rejected non-revocation signature > > > (PositiveCertification) requiring second pre-image resistance > > > gpgv: because: SHA1 is not considered secure since 2023-02-01T00:00:00Z > > > > > > so the signature rejected because of the default policy. > > > > So I guess we should tag this bug "upstream" and "wontfix"? > > Hi, I tagged this bug upstream. I still hope it's not a full wontfix, as > this prevents debootstrapping old Debian and Ubuntu releases, with > release files signed with older (weaker) keys. You can override this with a custom security policy: https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/ [hash_algorithms] sha1.second_preimage_resistance = 2026-01-01 The next version of APT will include said policy and apply it by default to give a grace period of about one year, but as for gpgv-sq, I think the default behavior makes sense. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
