On Fri, Jan 19, 2007 at 01:55:06AM +1100, Anthony Towns wrote: > The key we'll be using (and indeed are already using) is available as: > > http://ftp-master.debian.org/archive-key-4.0.asc Thanks for the info. Maybe I've missed something, but I though there was going to be one key per year (indeed, that's what I documented in the Securing Debian Manual [1]) : "The Debian archive signing key is available at http://ftp-master.debian.org/ziyi_key_2006.asc (replace 2006 with current year)." Using a different naming convention from last year is certainly confusing. Why the 4.0? Because of etch? Could it be possible to properly define what naming convention will be used so that users can have a guideline where to download the latest key from? It might be necessary for users that are do not have the latest version of debian-archive-keyring installed, find issues when upgrading and have to take manual steps to include the latest key. Regards Javier [1] http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-check-releases > > It's expected to be valid until sometime after lenny is released. > > If you've upgraded a testing/unstable system in the past month or two, > you'll find that key has been automatically added to your apt key list, > after being verified by the normal trust path for upgraded packages -- > namely the current archive key you've been using, then the sha1sum of > the Packages file and finally the md5sum of the apt package containing > the updated key. > > Debian developers can obtain the key from merkel over ssh, by looking > in /srv/ftp.debian.org/web/archive-key-4.0.asc. The key id is 6070D3A1 > which can be obtained from the key servers with signatures from both me > and Steve Langasek. > > Cheers, > aj >
Attachment:
signature.asc
Description: Digital signature