also sprach Steve Langasek <vorlon@debian.org> [2006.01.07.1132 +0100]:
> This is inconsistent with Debian's past policies wrt stable releases,
> namely, that it should be possible for a user to skip all point releases and
> security updates (at the peril of their system's security...) and still be
> able to upgrade when a new stable release comes out. This is necessary if
> we're to accomodate the many Debian deployments which don't have a reliable
> network connection and are only updated when a new stable release is
> published. Please keep this use case in mind while designing solutions for
> the apt key update problem.
As JoeyH suggests on http://wiki.debian.org/SecureApt,
a debian-archive-key package, which contains all keys up until the
current one, would do. Then, whenever a new key comes along, a new
package is distributed via security.d.o.
If we do this, I strongly suggest to move to one-key-per-release
cycles. There is no reason to have a new key each January. As
a matter of fact, if etch comes out in Decembre 2006, the archive keys it
distributes will be usable only for a little more than a month.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
"never try to explain computers to a layman.
it's easier to explain sex to a virgin."
-- robert heinlein
(note, however, that virgins tend to know a lot about computers.)
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)