To be clear: is this suggesting that it is currently entirely unsafe to update any operation-critical equipment? It seems that now that the PoC is out in the wild, it will be a matter of days/hours before someone hits a major contributor to the major Linux distros; and all package managers begin to fail.
I don't think this is correct. Debian and its derivatives, at least, use a separate keyring for apt than the rest of the system uses. Though Debian does have a keyserver, pushes aren't automatically added to the user-facing keyring; they are manually moved over by a keyring maintainer who would presumably notice someone with a multi-megabyte key.
Ubuntu runs its own SKS keyserver (keyserver.ubuntu.com) and apk-add-repository use it when adding a PPA repository. I think in theory it's still possible to break package manager in Ubuntu if someone decide to poison a popular PPA repository/key.
Package managers don't use keyservers to get their keys. Keyring updates are usually shipped as package updates or through a different mechanism. And distro media embeds the signing keys in the ISO to avoid the TOFU problem.
Yes this seems like it's going to range from very bad to outright terrible. In particular if the issue propagates prior to patching something like gpg as the package managers would be locked out from updates.
Every time there's an article about IoT security there's a discussion about lack of (security) updates and an upcoming Armageddon. Interestingly it'll be those devices that do not update that are immune to this type of thing.
Package managers don't use keyservers to get their keys (at least, not for the distro's repos). I believe Ubuntu might use them for PPAs, but openSUSE doesn't use them for any OBS projects (and I'm pretty sure this is the same for any RPM repo).
Sibling comments have discussed how this affects Debian, Ubuntu, and opensuse -- any Arch users know how this affects us? Seems like official repos should be fine but what about packages from the AUR?
I don’t think the AUR has a concept of package signing—a PKGBULD will often download a tarball from somewhere and any signing is ad-hoc. The official repositories use their own key ring (which is distributed without a key server).
Correct. The only time when this would concern you is when you add a third-party repository, e.g. one of [1]. This usually involves a manual TOFU step where you do the equivalent of `gpg --recv-keys $ID` on the pacman keyring.
