Dodging Bullets With Debian GNU/Linux

Filed under
Linux
Security

A recent bug reported in Ubuntu GNU/Linux is that apt-key fails to properly check the package-signing keys downloaded from an Ubuntu repository. Debian has the same faulty code but thankfully it is disabled.

On a Debian GNU/Linux system:

grep URI /usr/bin/apt-key
ARCHIVE_KEYRING_URI=”"
#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg
# update the current archive signing keyring from a network URI
if [ -z "$ARCHIVE_KEYRING_URI" ]; then
(cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI)

On an Ubuntu GNU/Linux system:

rest here