[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Archive signing key for 2007?

Anthony Towns wrote:
> The key we'll be using (and indeed are already using) is available as:
> 	http://ftp-master.debian.org/archive-key-4.0.asc
> It's expected to be valid until sometime after lenny is released.

I feel that we've been pretty miserable at communicating this stuff to
our developers and our users. While I knew about the etch key (hard to
miss it, given the ugly behavior it caused in apt when the archive was
signed with it, before it reached debian-archive-keyring), it wasn't at
all clear that it would be used to sign anything other than etch.

I've tried to update http://wiki.debian.org/SecureApt to reflect what
you've said.

I'm still not clear what will happen to the still existing yearly signing
key though. It's hard to predict what will happen if we reach
2007-02-07 and 2D230C5F expires. I think that due to #400526, it will at
least break debmirror. If we're phasing out the yearly signing key, we
should be sure to stop signing the archive with it, before it expires.
Obviously, if we're not phasing it out, we have a rapidly shrinking
window to create the 2007 key.

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: