Re: Security guidelines for Debian people
On Sun, 06 Nov 2011, Lars Wirzenius wrote:
> On Thu, Nov 03, 2011 at 03:44:36PM -0200, Henrique de Moraes Holschuh wrote:
> > One thing we have not talked about, is that of subkey validity. It is
> > not that kosher to have anything signed in stable with a subkey which
> > will not be valid for the lifetime of stable, so we should keep that in
> > mind.
> Assuming we're talking about each developer's personal key: what things
> would they be signing that matter? Package upload signatures are
> relevant only until the upload gets accepted into the archive, and
> after that it's the archive signing key that matters.
We don't do much long-term signing, but rarely there will be some
outside of the package workflow, i.e. inside packages themselves or
related to tool operation.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot