Re: bits from the release team
On Thu, May 04, 2006 at 08:07:45PM -0400, Joey Hess wrote:
> Goswin von Brederlow wrote:
>> Having the key in the debian-keyring package was a nice idea but
>> ultimatly useless. Sarge users can't fetch the new etch keyring
>> package because the signature doesn't match and the signature
>> doesn't match because the sarge keyring doesn't have the key. Fun
>> fun fun.
> FWIW, I consider this issue solved by the debian-archive-keyring,
> only issue I know if is that upgrades have to manually upgrade it
> before upgrading apt.
Why can't we have a master key that signs the yearly keys? After all,
we have a long-term unique X.509 master key, so what's the difference
with OpenPGP?
--
Lionel
Reply to: