Re: bits from the release team
On 5/5/06, Pierre Habouzit <madcoder@debian.org> wrote:
Proposal 1:
a possible way would be to have two valid keys at any time. like one
new key per year (or 6 month like you want) with a validity of 2 years
(resp. one year).
that would obviously mean two signatures per package (but I don't
think that's that much work) and would require the user to update
their "keyring package" only once every year (or 6 month), which looks
like a quite reasonnable trade-off. Even stable updates can use that
scheme, since it's released more than once a year.
Why would you need two signitures per package? Simply have a new key
each year this is valid for two years. apt/dpkg is going to have to be
able to handle multiple keys anyway because a user can download from
multiple respositories. The test is if a package is signed by any
trusted key.
Generate the key for 2007 on 1st of December 2006. This gives everyone
a month to get the new key before it's used. As long as the packages
file is signed with both, that should be enough for apt to trust the
install.
In reality, the only way you can truly trust any key is if you get
verification of the fingerprint from some other trusted source. Since
we don't do that, all this discussion is handwaving to solve practical
problems. Perhaps we should be teaching apt/dpkg to fetch the key from
some other source entirely, say an https server, thus avoiding the
issues of transporting keys via the same mechanism as the packages.
Have a nice day,
--
Martijn van Oosterhout <kleptog@gmail.com> http://svana.org/kleptog/
Reply to: