Re: bits from the release team

To: debian-devel@lists.debian.org
Subject: Re: bits from the release team
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 05 May 2006 18:41:35 +0200
Message-id: <[🔎] 87irokv2yo.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20060505070425.GB13291@capsaicin.mamane.lu> (Lionel Elie Mamane's message of "Fri, 5 May 2006 09:04:25 +0200")
References: <20060502203633.GR9262@mails.so.argh.org> <[🔎] 878xphphi2.fsf@informatik.uni-tuebingen.de> <[🔎] 20060505000745.GA32637@kitenet.net> <[🔎] 20060505070425.GB13291@capsaicin.mamane.lu>

* Lionel Elie Mamane:

> Why can't we have a master key that signs the yearly keys? After all,
> we have a long-term unique X.509 master key, so what's the difference
> with OpenPGP?

End users are typically not exposed to the X.509 keys, which makes
things a lot easier.

By the way, if you've got a master key, you need to plan for key
rollover, too.  Why not apply that procedure directly to the keys used
to sign the release files?  A yearly key change just results in
unnecessary administrative overhead for our users, without providing
any real benefit to them.  A key compromise still needs manual
intervention.

At the very least, if we have to keep that yearly key change for
political reasons, please schedule it in a way that it doesn't happen
in January.

Reply to:

Follow-Ups:
- Re: bits from the release team
  - From: Pierre Habouzit <madcoder@debian.org>

References:
- Re: bits from the release team
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: bits from the release team
  - From: Joey Hess <joeyh@debian.org>
- Re: bits from the release team
  - From: Lionel Elie Mamane <lionel@mamane.lu>

Prev by Date: Sascha Einloft ist nicht im Büro | Sascha Einloft is not in the office.
Next by Date: Re: bits from the release team
Previous by thread: Re: bits from the release team
Next by thread: Re: bits from the release team
Index(es):
- Date
- Thread