[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: APT public key updates?

[Paul TBBle Hampson]
> Although as Steve Langasek has pointed out, the Sarge->Etch upgrade
> will be hard unless the etch key becomes available to Sarge users
> who've not touched their system since Sarge r0a... I guess this comes
> down to making the etch key available in some kind of Sarge-signed
> repository

Do sarge systems verify the archive key anyway?  I thought apt 0.5.28
didn't.  But for etch moving forward, I like the ideas I've heard so
far about release keys:

1) One key per stable release.  The key is generated a month or so
   before the release, however long is needed to ensure that it be
   shipped in d-i.  This key is then used for the entire length that
   that release is supported (thus the archive is signed by the keys
   from both stable and oldstable) - in practice I guess the overlap
   goes a year or so.

2) The per-release key obviously can't expire exactly when it should,
   since the release cycle isn't completely predictable, to put it
   mildly.  It might be set to live 4 years or so, and can be revoked
   later as "superceded".

3) Separate keys for other archives - all of the above applies to
   security, volatile, and amd64 as well.  (Unless amd64 makes it to
   ftp.debian.org before etch.)

Attachment: signature.asc
Description: Digital signature

Reply to: