Really, really bad experiences. I've seen people resign from the projectover the waiting period. I suggest you switch to your new key foreverything but the debian activities that need a key in the Debian keyring.
James' rationale for not accepting new keys, IIRC, was that in most of those cases the web of trust would have been weakened by accepting the new key.
If your new key is signed by more developers than the old one, the I'd guess he'd probably consider adding it. Once it was added, you could drop the old one.
If it didn't get added, you could keep using the old one.You may notice that several of the "old hands" have *really* old keys in the Debian keyring. I don't know how long we think it would take for, say, the NSA to obtain a developer's private key by brute force (of the metaphorical kind), either with or without access to the encrypted private key, but I am concerned that we are not sufficiently worried about expiring keys.
On the other hand, I expect it would be much easier for any hypothetical adversary to just join the project. Fake identities are apparently not difficult to come by.
It would be nice to have some kind of analysis of why we do what we do somewhere on the web site. Is there anybody who would be in a position to write such a document (i.e. with knowledge and available time)?
It would be even nicer if this hypothetical document stated what types and sizes of key should be regarded as appropriate for Debian use. And gave an indication of how paranoid developers are expected to be in using their key...
Cheers, Nick