[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: APT public key updates?



* Michael Vogt:

> Sorry for the delay. I'm preparing a new upload that adds the 2006
> archive key to the default keyring. 

Please try to get a new self-signature without an expiration data
first.

If they key is compromised, it has to be (manually) revoked anyway.
Rotating it once per year doesn't make sense.  At the very least,
change the expiration data so that it doesn't fall into the holiday
season.

For stable, an offline key could be used.  Maybe for stable-security,
too.  However, I don't think it's worth the trouble.  If the key
material is compromised because it is only, the attacker has already
reached very central piece of Debian's infrastructure, and we lose
even if the actual key material is stored off-line.



Reply to: