[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt-secure broke?

On Mon, Jan 31, 2005 at 12:51:14PM -0200, Henrique de Moraes Holschuh wrote:
> On Mon, 31 Jan 2005, Anthony Towns wrote:
> > Steve Kowalik wrote:
> > >On Sun, 30 Jan 2005 06:21:26 -0500, Anthony DeRobertis uttered
> > >>I suspect this has to do with
> > >>http://http.us.debian.org/debian/dists/testing/Release.gpg being an
> > >>empty file. Stable still has a signature; what happaned?
> > >If I remember the conversation on IRC correctly, the archive GPG key
> > >expired ...

> > Thus marking almost four years since we've had support for this on the 
> > server, and still no support for it on the client, even in unstable. *sigh*

> > Anyway, should be fixed as of tomorrow. New key at

> >   http://ftp-master.debian.org/ziyi_key_2005.asc

> Would the relevant people mind signing this key so that it is at least worth
> something?  Currently it is signed by the old archive key, which IS an
> unprotected key (as in no passphrase) AFAIK.  And common sense says it is
> also a signature we can never trust on another ziyi key, since anyone who
> could replace a ziyi key could probably sign the replacement key with the
> old one.

I don't know that I'm one of the "relevant people", but since the issue came
up and I do have a trusted path to the data on ftp-master, I've gone ahead
and signed the 2005 key.  I don't have access to push this to
http://ftp-master/, though, so my sig is only available by updating from a

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: