Re: bits from the release team

[Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>]

Joey Hess <joeyh@debian.org> writes:

> Goswin von Brederlow wrote:
>> Once you update apt it does. That is when you notice that suddenly you
>> need the key for authentication.
>
> As I said, you have to install debian-archive-keyring first.
>
>> Also on every key upgrade you have to install an untrusted package.
>
> No, you merely have to upgrade debian-archive-keyring before the old key
> exires, using the old key to validate the package containing the new
> one.

Doesn't work if the key is ever compromised and a new one has to be
created out of schedule. Or when you spend your x-mas holidays away
from your system and couldn't upgrade before new years eve.

How big is this transition window going to be for the new key to be in
the keyring until it is used? That is a rather fragile thing.

>> Not to mention that any inofficial apt archive is left out in the
>> rain. Do you expect every archive to have their own keyring package?
>
> No, I expect them to continue distributing the apt keys in various ways
> as they already demonstratably do now, and probably eventually converge
> on a single standard way with a standard well-known command to get the key.

Which I suggested debian starts doing for its own archive in a way all
others can follow. Making the tools use that way and all. So choosing
to follow that way becomes a no brainer for everyone.

You can keep the key in the debian-archive-keyring as well. Nothing is
stopping that. But why not also make an example for other archives on
how to do it?

MfG
        Goswin