[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: APT public key updates?

also sprach Steve Langasek <vorlon@debian.org> [2006.01.07.1132 +0100]:
> This is inconsistent with Debian's past policies wrt stable releases,
> namely, that it should be possible for a user to skip all point releases and
> security updates (at the peril of their system's security...) and still be
> able to upgrade when a new stable release comes out.  This is necessary if
> we're to accomodate the many Debian deployments which don't have a reliable
> network connection and are only updated when a new stable release is
> published.  Please keep this use case in mind while designing solutions for
> the apt key update problem.

As JoeyH suggests on http://wiki.debian.org/SecureApt,
a debian-archive-key package, which contains all keys up until the
current one, would do. Then, whenever a new key comes along, a new
package is distributed via security.d.o.

If we do this, I strongly suggest to move to one-key-per-release
cycles. There is no reason to have a new key each January. As
a matter of fact, if etch comes out in Decembre 2006, the archive keys it
distributes will be usable only for a little more than a month.

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
"never try to explain computers to a layman.
 it's easier to explain sex to a virgin."
                                                    -- robert heinlein
(note, however, that virgins tend to know a lot about computers.)

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to: