About this time last year there was some concern over the security of SHA-1 and the beginnings of a move to stronger keys using SHA-2. I wrote a mail to d-d-a[0] indicating that keyring-maint was in favour of moving to strong hashes, and in particular was keen to remove all the legacy v3 keys that were still active. I have sent numerous mails over the past year to try and chase DDs with v3 keys to generate a new v4 key that is linked into to our web of trust. In that time we've gone from 200 v3 keys down to 20. While it would be nice to get this number to 0 before dropping support it seems unlikely that this will happen; in my mail last September[1] I'd stated that I hoped the transition would be completed by Christmas, but there were still people trying to delay beyond that point. So, on 1st July 2010 keyring-maint will remove all v3 keys from the active Debian keyring; debian-keyring.pgp will become an empty file (we will cease to generate it at all once DSA and ftp-master have confirmed none of their tools are using it any longer). We will allow a 2 month period after this date where we will accept a signature from an old v3 key as part of a trust chain to a new v4 key; it will still require a signature from another DD (and ideally 2). On 1st September 2010 we will no longer trust any v3 keys as part of key replacement. All affected DDs have been mailed several times about replacing their key, but just in case they've managed to miss the mails to d-d-a, the direct mails or my blog post[2] here is the complete list of affected keys: 0x0D2156BD3D97C149 Michael Stone <mstone> 0x225FD911CD269B31 Carlos Barros <cbf> 0x31E73F14E298966D James R. Van Zandt <jrv> 0x366CD3FEEBC11B01 Chris Waters <xtifr> 0x37A73FE355E8BC4D Frederic Lepied <lepied> 0x3E973117DCC528E9 Ardo van Rangelrooij <ardo> 0x5C7A46637953F711 Rich Sahlender <rsahlen> 0x5D6560F85F30F005 Craig Brozefsky <craig> 0x6B0E322836129171 Jim Westveer <jwest> 0x723724B4A5B6DD31 Christian Meder <meder> 0x8FFC405EFD5A67CD Adam Di Carlo <aph> 0xB0D269DE17F3D4D1 Matthew Vernon <matthew> 0xBC151FC8D2A913A1 Peter S Galbraith <psg> 0xC1A0A171C2DCD3B1 Jim Mintha <jmintha> 0xC3168EBA23F5ADDB Ian Jackson <iwj> 0xCE951B1160D74C7D Patrick Cole <ltd> 0xE82A8B0D57137FE5 Paul Seelig <pseelig> 0xF20E242CE77AC835 Brian White <bcwhite> 0xFBAA570C3087194D Alan Bain <afrb2> 0xFFD1B4AC7C19FD19 David Engel <david> I suspect some of these developers are MIA (and have been in contact with the MIA team); only 2 votes in the recent DPL election. 7 have failed to make any response to my mails. 9 have uploaded packages since August 2008. And 9 were already known to the MIA database. Some have stated they will try and sort out a new key, but have not yet managed to do so. If you are one of these people, please either get a new key sorted and signed and reply to the mails I've sent you, or reply and say you no longer wish to be involved in Debian. And if you know any of these people, encourage them to get a new key sorted and offer to sign it for them. J, with his keyring-maint hat on. [0] http://lists.debian.org/debian-devel-announce/2009/05/msg00005.html [1] http://lists.debian.org/debian-devel-announce/2009/09/msg00011.html [2] http://www.earth.li/~noodles/blog/2010/04/out-damnd-pgp-v3.html -- "Just chill. What's with all the rush? Debian is brewed longer for a stronger, fresher taste. We only release it when it's ready." -- Robster, posting to debian-devel about Woody.
Attachment:
signature.asc
Description: Digital signature