Re: apt 0.6 in experimental
On Sat, 27 Dec 2003 12:25:45 -0800
Matt Zimmerman <email@example.com> wrote:
> > That key is "Debian Archive Automatic Signing Key (2003)
> > <firstname.lastname@example.org>" which I thought was supposed to be revoked due to
> > the compromise.
> That key is also still used to sign stable, stable/non-US and
> proposed-updates/non-US, though proposed-updates is signed with the new v2
I was actually going to ask - what happens to stable users when either a
release takes longer than a year to get out, or they want to skip a
stable version and go for the one after?
Perhaps an archive signing key for each dist, instead of one for each
year? Several of each should probably be generated, too, and all but the
live one kept offline in different locations, in case of compromise.
Unless I'm way off?