Re: Archive signing key for 2007?

[Simon Josefsson <simon@josefsson.org>]

Anthony Towns <aj@azure.humbug.org.au> writes:

> On Thu, Jan 11, 2007 at 11:51:21PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
>> I thought that the 2007 key was (based on [1]) supposed to be available
>> early in January and available in the debian-archive-keyring package. Which
>> doesn't seem to be the case.
>
> The key we'll be using (and indeed are already using) is available as:
>
> 	http://ftp-master.debian.org/archive-key-4.0.asc
>
> It's expected to be valid until sometime after lenny is released.
>
> If you've upgraded a testing/unstable system in the past month or two,
> you'll find that key has been automatically added to your apt key list,
> after being verified by the normal trust path for upgraded packages --
> namely the current archive key you've been using, then the sha1sum of
> the Packages file and finally the md5sum of the apt package containing
> the updated key.

Interesting -- are there any formal procedures for the official
signing key?  I mean, how is the key generated, where is it stored,
who has access to it, is it on an online machine etc?

I think describing this would be useful, as a case-study of how to
manage an important key on a best-effort basis.

/Simon