Reality check:
that means that all source packages received via 'apt-get source' are not
trusted by Ubuntu clean installation ?
Is there a safe way to get full public key (not short unsafe keyid) for
a source package then?
Thanks
** Summary changed:
- 'linux' source package signature is not va
Thanks for the bug report.
This isn't as dire as it looks:
APT's security model is based on signed InRelease files that have
sha256sums of all archive contents. In this case, the InRelease file
will have a sha256sum for one of the Sources files, and that file will
have a sha256sum for the linux s
Julian, do you have any ideas how this could be handled better? I'm
short on ideas here. The gpgv output seems useful but it's also
potentially misleading.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.
** Information type changed from Private Security to Public Security
** Package changed: ubuntu => apt (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1649097
Title:
'linux' source package s
