> Algorithms missing in "APT::Key::Assert-Pubkey-Algo" cause errors now,
> whereas algorithms in
> "APT::Key::Assert-Pubkey-Algo::Next" cause warnings.
The word "missing" is, er, missing, in the second part of that sentence,
right? The full correct sentence is (diff capitalized by me):
Algori
The level has changed:
Algorithms missing in "APT::Key::Assert-Pubkey-Algo" cause errors now,
whereas algorithms in "APT::Key::Assert-Pubkey-Algo::Next" cause
warnings.
Accordingly, the values were moved around such that
"APT::Key::Assert-Pubkey-Algo::Next" matches the old
APT::Key::Assert-Pubke
Put the security levels (noble release vs unapproved vs oracular) into a
table in
https://docs.google.com/document/d/1rIREl1ebAoJXyqjig5MlV1-Jae9EREcApuVMlKT1whQ/edit?tab=t.0
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ap
Ah, sorry about neglecting the other curves here. I'm much less
concerned about the curve changes.
Someone who chooses these curves has thought about it and made their
choice. Someone who is on RSA1024 might not know that they're on the
"very best of y2k" playlist. The NSA may have suggested every
Thanks @Seth! Your comment #18 seems to have focused mostly on the RSA
keys, did you get a chance to also look at the new NIST, brainpoolP, and
secp algorithms that were added/swapped around? From the table in
comment #22 (also comment #20), looks like another change is that NIST
P-{256,384,512} in
Here is a screenshot of the document from comment #20
** Attachment added: "apt-security-levels.png"
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/2073126/+attachment/5867457/+files/apt-security-levels.png
--
You received this bug notification because you are a member of Ubuntu
Touch se
Ah, thank you both Andreas and Julian for working with me to understand
these changes better.
If we're already supporting rsa1024 in noble, that would explain why we
haven't seen a deluge of support requests around it. Fair. Tightening it
in an update a year later, absent impressive news, would be
> I don't understand why today is the right day to allow weaker RSA
keys.
I don't think that changed. To recap (and these changes are confusing,
yes, but this is my understanding of the final result):
# Noble release
- there is only one list of crypto algorithms: Assert-Pubkey-Algo
- anything NOT
Thanks for your summary, Andreas, I found it very helpful.
This guide appeared to be the newest from NIST that I could find on the
topic of key lengths
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf
-- page 21 (marked 11 on the page) appears to say n=1024 is still
@ubuntu-security, could I please get your take on the changes introduced
by this SRU? I believe I summarized them in comment #16 (unless @juliank
chimes in with a correction!).
It's basically the list of crypto algorithms that need checking.
RSA1024 still triggers a "weak key" warning.
https://
So from my understanding, these are the big changes in this SRU,
regarding the crypto config.
a) Algorithms MISSING from Assert-Pubkey-Algo are now treated as an
ERROR, whereas before (noble release) they were WARNINGS;
b) The list of algorithms in Assert-Pubkey-Algo changed:
">=rsa2048,ed2551
I tested with (only changed rsa from the defaults):
APT::Key::Assert-Pubkey-Algo
">=rsa2048,ed25519,ed448,nistp256,nistp384,nistp512,brainpoolP256r1,brainpoolP320r1,brainpoolP384r1,brainpoolP512r1,secp256k1";
APT::Key::Assert-Pubkey-Algo::Next
">=rsa5120,ed25519,ed448,nistp256,nistp384,nistp512";
So to summarize, and please confirm or deny my understanding below,
comparing to 2.7.14build2 which is current noble release+updates:
- Assert-Pubkey-Algo reintroduces >= rsa1024 (was rsa2048), and allows more
nist curves[1]. It's downgrading the RSA key size to 1024.
- there is no error whatsoev
** Description changed:
- (This is uploaded to noble as 2.8.1 per
- https://wiki.ubuntu.com/AptUpdates)
+ (Please see https://wiki.ubuntu.com/AptUpdates for the versioning)
[Impact]
- We have received feedback from users that use NIST-P256 keys for their
repositories that are upset about rec
** Changed in: apt (Ubuntu Noble)
Milestone: ubuntu-24.04.1 => None
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/2073126
Title:
More nuanced public key algorithm revocat
** Description changed:
(This is uploaded to noble as 2.8.1 per
https://wiki.ubuntu.com/AptUpdates)
[Impact]
We have received feedback from users that use NIST-P256 keys for their
repositories that are upset about receiving a warning. APT 2.8.0 in
noble-proposed would bump the warning
This bug was fixed in the package apt - 2.9.7
---
apt (2.9.7) unstable; urgency=medium
[ sid ]
* Show installed version (not candidate version) while removing a package
[ David Kalnischkies ]
* Parse snapshot option for apt show/list (Closes: #1075819)
[ Frans Spiesschaert
** Tags removed: block-proposed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/2073126
Title:
More nuanced public key algorithm revocation
Status in apt package in Ubuntu:
** Tags added: block-proposed-noble
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/2073126
Title:
More nuanced public key algorithm revocation
Status in apt package in Ubuntu
this upload is not to be accepted to -updates before the discussion on
ubuntu-release@ is concluded
** Tags added: block-proposed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/
** Description changed:
+ (This is uploaded to noble as 2.8.1 per
+ https://wiki.ubuntu.com/AptUpdates)
+
[Impact]
We have received feedback from users that use NIST-P256 keys for their
repositories that are upset about receiving a warning. APT 2.8.0 in
noble-proposed would bump the warning
Hello Julian, or anyone else affected,
Accepted apt into noble-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/apt/2.8.1 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Tes
** Description changed:
[Impact]
We have received feedback from users that use NIST-P256 keys for their
repositories that are upset about receiving a warning. APT 2.8.0 in
noble-proposed would bump the warning to an error, breaking them.
We also revoked additional ECC curves, which may
** Changed in: apt (Ubuntu Oracular)
Status: New => Fix Committed
** Tags added: regression-proposed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/2073126
Title:
More
24 matches
Mail list logo
