Re: APT public key updates?
On Fri, Jan 06, 2006 at 04:04:56AM -0800, Steve Langasek wrote:
> far :), I would encourage you to log into merkel and verify, directly and
> securely, the key at /org/ftp.debian.org/web/ziyi_key_2006.asc; sign it; and
> upload your signature to the public keyservers as well, if you are satisfied
> that this is the key that is being used on ftp-master.debian.org to sign the
> archive.
>
> You should *only* do this if you're satisfied that the presence of this file
> in the mirror on merkel is adequate evidence that it's the same key in use
> on ftp-master. So trusting that the ssh host key of merkel is authentic,
> trusting that someone hasn't compromised both merkel and your network
> (pushing matching, invalid keys to you via merkel and a MITM of
> http://ftp-master.debian.org), and trusting that the propagation from
> ftp-master to merkel is secure.
Do we make a habit of asking ftpmasters to bring the archive keys
along to keysignings? How many ftpmasters would we want to stand up
and tell us that they key in question really is the one that is used
to sign the archives before we should agree to sign it?...
Just thinking that the keysigning at LCA in two weeks might be a good
opportunity to get lots of developers to sign it...
Shameless Plug: There's still time to register - see
http://lca2006.linux.org.au :-)
Cheers,
Nick
Reply to: