I have just pushed our pseudo-monthly batch of keyring updates to
Debian. I am happy to inform you that, while the situation described
in Clint Adams' interesting assessment of the state of the Debian
keyring¹ (and the quite constructive conversation that followed) still
holds, and we still have way too many weak (1024D) keys in the Debian
keyring, we got a noticeable effect as a result of said thread: 20 key
upgrade requests in somewhat over a one week period! (mostly from DDs,
with two from DMs IIRC).
So, for any DD or DM reading this and not following the debian-project
list where this thread took place:
As keyring maintainers, we no longer consider 1024D keys to be
trustable. We are not yet mass-removing them, because we don't want to
hamper the project's work, but we definitively will start being more
aggressively deprecating their use. 1024D keys should be seen as
brute-force vulnerable nowadays. Please do migrate away from them into
stronger keys (4096R recommended) as soon as possible.
If you have a key with not-so-many active DD signatures (with
not-so-many ≥ 2) waiting to get it more signed, stop waiting and
request the key replacement².
If you do not yet have a 4096R key, create a new one³ as soon as
possible and get some signatures on it. Once ≥2 DDs have signed it,
please request us to replace your old key. If you cannot get to meet
two DDs in person, please talk to us⁴ and we will find out what to do.
- Gunnar Wolf
--
¹ https://lists.debian.org/debian-project/2014/02/msg00119.html
² http://keyring.debian.org/replacing_keys.html
³ http://keyring.debian.org/creating-key.html
⁴ keyring-maint@debian.org
Attachment:
signature.asc
Description: Digital signature