Provide a sensible example of updating Ubuntu environments

Setting up a Ubuntu environment on debusine unfortunately is harder than it should be. For Debian, one can relatively easily configure the bootstrap task as check_signature_with: system (assuming debusine runs on Debian). Since we are providing a sources.list, mmdebstrap will not automatically add Ubuntu keyrings even when installed on the worker. The same holds if installing debusine on Ubuntu and attempting to do a Debian environment. So we're looking into check_signature_with: external. Now we must provide a keyring url. What should we put there?

• file:///usr/share/keyrings/ubuntu-archive-keyring.gpg does not work with pydantic v1 due to issue 6929
• http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg does not work as that keyring has never been updated
• https://git.launchpad.net/ubuntu/+source/ubuntu-keyring/plain/keyrings/ubuntu-archive-keyring.gpg does not practically work on Freexian's deployment because the host lacks an AAAA record and our workers have no V4 connectivity.
• https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xf6ecb3762474eda9d21b7022871920d1991bc93c is more fragile. The key content may change e.g. with hockeypuck updates. It also requires us to know which key signs which Ubuntu release.

I think there should be an easier way to do this.