1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109665: release-notes: Document APT crypto policies for trixie

    From Julian Andres Klode@21:1/5 to All on Mon Jul 21 13:40:02 2025
    XPost: linux.debian.doc

    Package: release-notes
    Severity: normal
    X-Debbugs-Cc: [email protected]

    APT in trixie has the following cut-offs for OpenPGP key algorithms:

    2026-02-01
    - Keys with SHA-1 self-signatures. These need to be resigned, that
    is, change the expiry to the same value as before, for example.
    - SHA224 signatures
    - v3 signature packets, as used by Open Build Service

    2028-02-01

    - Brainpool Curves

    2030-02-01

    - RSA keys with fewer than 3072 bits

    APT will issue warnings 1 year ahead of the cut-off dates.

    Other keys have been cut-off in the past, such as RSA below
    2048 bit, DSA keys.

    The policy can be adjusted following the hint in

    /etc/crypto-policies/back-ends/apt-sequoia.config

    But we may want to introduce a tiny feature in a stable update
    to simply set a fixed policy date (i.e. verify keys using the
    policy as of 2025-08-01 to keep a trixie system with no changes
    in behavior).
    --
    debian developer - deb.li/jak | jak-linux.org - free software dev
    ubuntu core developer i speak de, en

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris Hofstaedtler@21:1/5 to Julian Andres Klode on Mon Jul 21 21:20:01 2025
    XPost: linux.debian.doc

    On Mon, Jul 21, 2025 at 01:37:41PM +0200, Julian Andres Klode wrote:
    APT in trixie has the following cut-offs for OpenPGP key algorithms:
    [..]

    Thank you for opening this. Here are some questions however:

    1) is this info relevant for users of APT or for repository
    providers?

    2) if its relevant for users, what should users look for and what
    should they do when they encounter whatever APT will say/do?

    3) should this go into "Issues to be aware of for trixie" or
    "Possible issues during upgrade"?

    4) trust all the details are in the APT documentation or a manpage.
    Which one is it / which URL can we link to?

    Chris

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Julian Andres Klode@21:1/5 to Chris Hofstaedtler on Mon Jul 21 22:10:02 2025
    XPost: linux.debian.doc

    On Mon, Jul 21, 2025 at 09:15:17PM +0200, Chris Hofstaedtler wrote:
    On Mon, Jul 21, 2025 at 01:37:41PM +0200, Julian Andres Klode wrote:
    APT in trixie has the following cut-offs for OpenPGP key algorithms:
    [..]

    Thank you for opening this. Here are some questions however:

    1) is this info relevant for users of APT or for repository
    providers?

    Both. repository providers may want to pass --audit to `apt update`
    to check with a 2-years-ahead policy to get messages a year ahead
    of their users.


    2) if its relevant for users, what should users look for and what
    should they do when they encounter whatever APT will say/do?

    They will receive warnings by APT 1 year ahead of the deprecation
    and need to figure out how to update the keys for their repositories.

    How to do that will depend on their repository, and I can't provide
    any advise on that matter other than contacting the repository
    provider.


    3) should this go into "Issues to be aware of for trixie" or
    "Possible issues during upgrade"?

    It may even warrant its own section, tbh, to give a clear entry
    point of how APT repositories are cut-off.


    4) trust all the details are in the APT documentation or a manpage.
    Which one is it / which URL can we link to?

    We do not provide documentation outside the comment and the debian/NEWS
    entry. We should document the mechanisms, but not the policy, inside
    APT.

    The policy is subject to the policy file in the packaging, as well as
    the default Sequoia policy which are in a sense outside of APT's control
    as an upstream identity (different downstreams may apply their own
    policies).
    --
    debian developer - deb.li/jak | jak-linux.org - free software dev
    ubuntu core developer i speak de, en

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Chris Hofstaedtler@21:1/5 to All on Wed Jul 23 12:40:01 2025
    XPost: linux.debian.doc

    * Julian Andres Klode <[email protected]> [250721 22:07]:
    On Mon, Jul 21, 2025 at 09:15:17PM +0200, Chris Hofstaedtler wrote:
    On Mon, Jul 21, 2025 at 01:37:41PM +0200, Julian Andres Klode wrote:

    4) trust all the details are in the APT documentation or a manpage.
    Which one is it / which URL can we link to?

    We do not provide documentation outside the comment and the debian/NEWS >entry. We should document the mechanisms, but not the policy, inside
    APT.

    The policy is subject to the policy file in the packaging, as well as
    the default Sequoia policy which are in a sense outside of APT's control
    as an upstream identity (different downstreams may apply their own
    policies).

    Surely the apt package in Debian is to be used in Debian, and thus
    can document the Debian-specifics? If I understand you right, it
    also ships a Debian-specific policy file.

    Chris

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)