I have just pushed our pseudo-monthly batch of keyring updates to Debian. I am happy to inform you that, while the situation described in Clint Adams' interesting assessment of the state of the Debian keyring¹ (and the quite constructive conversation that followed) still holds, and we still have way too many weak (1024D) keys in the Debian keyring, we got a noticeable effect as a result of said thread: 20 key upgrade requests in somewhat over a one week period! (mostly from DDs, with two from DMs IIRC). So, for any DD or DM reading this and not following the debian-project list where this thread took place: As keyring maintainers, we no longer consider 1024D keys to be trustable. We are not yet mass-removing them, because we don't want to hamper the project's work, but we definitively will start being more aggressively deprecating their use. 1024D keys should be seen as brute-force vulnerable nowadays. Please do migrate away from them into stronger keys (4096R recommended) as soon as possible. If you have a key with not-so-many active DD signatures (with not-so-many ≥ 2) waiting to get it more signed, stop waiting and request the key replacement². If you do not yet have a 4096R key, create a new one³ as soon as possible and get some signatures on it. Once ≥2 DDs have signed it, please request us to replace your old key. If you cannot get to meet two DDs in person, please talk to us⁴ and we will find out what to do. - Gunnar Wolf -- ¹ https://lists.debian.org/debian-project/2014/02/msg00119.html ² http://keyring.debian.org/replacing_keys.html ³ http://keyring.debian.org/creating-key.html ⁴ keyring-maint@debian.org
Attachment:
signature.asc
Description: Digital signature