Re: APT public key updates?

To: debian-devel@lists.debian.org
Subject: Re: APT public key updates?
From: Thomas Viehmann <tv@beamnet.de>
Date: Fri, 06 Jan 2006 17:10:57 +0100
Message-id: <[🔎] 43BE9691.5060702@beamnet.de>
In-reply-to: <[🔎] 20060106132114.GA11861@kitenet.net>
References: <[🔎] 2fl64oz1tpi.fsf@saruman.uio.no> <[🔎] 1136416078.4526.1.camel@localhost> <[🔎] 20060105200205.GB20228@kitenet.net> <[🔎] 20060105221306.GA8597@top.ping.de> <[🔎] 2flr77mp5lx.fsf@saruman.uio.no> <[🔎] 20060106003106.GD24652@tennyson.dodds.net> <[🔎] 877j9ep4ny.fsf@becket.becket.net> <[🔎] 20060106033119.GA30916@hoiho.nz.lemon-computing.com> <[🔎] 87d5j5et1b.fsf@becket.becket.net> <[🔎] 20060106071154.GA5732@localhost.localdomain> <[🔎] 20060106132114.GA11861@kitenet.net>

Joey Hess wrote:
> BTW, has anyone thought about what will happen when we have a stable
> release that has the 200n key in it and 200n+1 rolls around[1]? Will stable
> even be installable anymore? How will the updated key be pushed out to
> stable quickly enough? Will we have to rebuild CDs and obsolete all the
> old ones then too? Is the current scheme of having overlapping
> signatures for 1 month long enough, given that stable users might well
> only update their machines quarterly or so?

Given that stable is stable, wouldn't it be possible to sign each stable
release with a special key kept offline without causing too much trouble?
That doesn't solve security updates though, so the key for that would
need to be updated as necessary.

Alternatively, a two link process with a role key kept offline signing
the archive key might be OK as well, but that leaves the question how
not to have that key compromised.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/

Reply to:

References:
- APT public key updates?
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: APT public key updates?
  - From: Daniel Leidert <daniel.leidert.spam@gmx.net>
- Re: APT public key updates?
  - From: Joey Hess <joeyh@debian.org>
- Re: APT public key updates?
  - From: Michael Vogt <mvo@debian.org>
- Re: APT public key updates?
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: APT public key updates?
  - From: Steve Langasek <vorlon@debian.org>
- Re: APT public key updates?
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: APT public key updates?
  - From: Nick Phillips <nwp@nz.lemon-computing.com>
- Re: APT public key updates?
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: APT public key updates?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: APT public key updates?
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: net-tools maintenance status
Next by Date: Re: net-tools maintenance status
Previous by thread: Re: APT public key updates?
Next by thread: Re: APT public key updates?
Index(es):
- Date
- Thread