[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: APT public key updates?

Anthony Towns wrote:
> Oh, the explanation for current practice is that if the key doesn't
> change in practice, apps that look at the keys won't cope well with the
> key changing, and when that becomes important, such as in the event of
> a compromise, we'll have major difficulties in coping.

In that case I suggest you rotate it every month for a few cycles.

BTW, has anyone thought about what will happen when we have a stable
release that has the 200n key in it and 200n+1 rolls around[1]? Will stable
even be installable anymore? How will the updated key be pushed out to
stable quickly enough? Will we have to rebuild CDs and obsolete all the
old ones then too? Is the current scheme of having overlapping
signatures for 1 month long enough, given that stable users might well
only update their machines quarterly or so?

see shy jo

[1] As is, for example, supposed to happen a month or so after etch is

Attachment: signature.asc
Description: Digital signature

Reply to: