Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(MODULES-3307) - Auto update expired keys #795

Merged
merged 1 commit into from
Sep 24, 2018
Merged

(MODULES-3307) - Auto update expired keys #795

merged 1 commit into from
Sep 24, 2018

Conversation

eimlav
Copy link

@eimlav eimlav commented Sep 18, 2018
edited
Loading

@eimlav eimlav force-pushed the modules3307 branch 5 times, most recently from 7f1348e to 6d2b04f Compare September 20, 2018 11:26
@eimlav eimlav added the feature label Sep 20, 2018
@tphoney
Copy link

tphoney commented Sep 20, 2018

👍 assuming it can run through our adhoc pipeline

@eimlav eimlav force-pushed the modules3307 branch 2 times, most recently from 1174a2e to bb0f842 Compare September 20, 2018 20:29
@eimlav
Copy link
Author

eimlav commented Sep 21, 2018

Ran most recent commit bb0f842 through adhoc pipeline, and it has now gone green.

screen shot 2018-09-21 at 09 01 04

@eimlav eimlav requested a review from tphoney September 21, 2018 08:08
@eimlav eimlav changed the title WIP - (MODULES-3307) - Auto update expired keys (MODULES-3307) - Auto update expired keys Sep 21, 2018
@pmcmaw
Copy link

pmcmaw commented Sep 24, 2018

LGTM. Merging.

@pmcmaw pmcmaw merged commit 53da1d1 into puppetlabs:master Sep 24, 2018
@anarcat
Copy link

anarcat commented Jul 30, 2019

this is a really bad idea, i must say. especially now that some people figured out that you can just flood any PGP key out there, fetching arbitrary keys from keyservers, by default, when checking for existence of the key, seems like a huge security problem.

it will necessarily lead to keys being poisoned and completely disabling the AptSecure key verification mechanism, possibly leading to DOS on the entire server as apt struggles to run at all.

key updates should be shipped in-band, as a local source parameter (as in puppet://) and that's it. i understand why someone would make the mistake of pulling from keyservers, because apt-key adv exists, but it's not a good idea to set things up that way.

more information on how to properly setup third-part repositories is available here, i strongly suggest this is taken into consideration in this module more broadly:

https://wiki.debian.org/DebianRepository/UseThirdParty

@lelutin
Copy link

lelutin commented Sep 17, 2019

I do concur with @anarcat 's analysis of this code. it seems to me to be a pretty bad idea (in general) to automatically download keys from keyservers, especially nowadays since the state of the keyservers is in such a bad shape.

I would be more comfortable with this module if this new code was deactivated by default

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tphoney tphoney Awaiting requested review from tphoney

Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@eimlav @tphoney @pmcmaw @anarcat @lelutin @derivo