On Fri, Jan 06, 2006 at 02:04:49PM +0100, Florian Weimer wrote: > * Steve Langasek: > > I would encourage you to log into merkel and verify, directly and > > securely, the key at /org/ftp.debian.org/web/ziyi_key_2006.asc; sign it; and > > upload your signature to the public keyservers as well, if you are satisfied > > that this is the key that is being used on ftp-master.debian.org to sign the > > archive. > Or publish a statement, maybe signed with your OpenPGP key, that the key > 1024D/2D230C5F, fingerprint 084750FC01A6D388A643D869010908312D230C5F > is the 2006 Debian archive key. > This conveys more information than a certifying signature, and avoids > the problem how you got physical ID for "Debian Archive Automatic > Signing Key (2006) <ftpmaster@debian.org>", or a verification that the > keyholder actually reads the mailbox mentioned in the user ID. 8-) Yes, that's also reasonable, although the downside is a lack of good distribution channel for such a signed statement -- key signatures you can throw at any keyserver and they'll stick. :) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature