[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: APT public key updates?

* Steve Langasek:

> I would encourage you to log into merkel and verify, directly and
> securely, the key at /org/ftp.debian.org/web/ziyi_key_2006.asc; sign it; and
> upload your signature to the public keyservers as well, if you are satisfied
> that this is the key that is being used on ftp-master.debian.org to sign the
> archive.

Or publish a statement, maybe signed with your OpenPGP key, that the key
1024D/2D230C5F, fingerprint 084750FC01A6D388A643D869010908312D230C5F
is the 2006 Debian archive key.

This conveys more information than a certifying signature, and avoids
the problem how you got physical ID for "Debian Archive Automatic
Signing Key (2006) <ftpmaster@debian.org>", or a verification that the
keyholder actually reads the mailbox mentioned in the user ID. 8-)

Reply to: