[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Archive signing key for 2007?

On Fri, Jan 19, 2007 at 01:55:06AM +1100, Anthony Towns wrote:
> The key we'll be using (and indeed are already using) is available as:
> 	http://ftp-master.debian.org/archive-key-4.0.asc

Thanks for the info. Maybe I've missed something, but I though there was
going to be one key per year (indeed, that's what I documented in the
Securing Debian Manual [1]) :

"The Debian archive signing key is available at
http://ftp-master.debian.org/ziyi_key_2006.asc (replace 2006 with current

Using a different naming convention from last year is certainly confusing.
Why the 4.0? Because of etch?  Could it be possible to properly define what
naming convention will be used so that users can have a guideline where to
download the latest key from? It might be necessary for users that are do not
have the latest version of debian-archive-keyring installed, find issues
when upgrading and have to take manual steps to include the latest




> It's expected to be valid until sometime after lenny is released.
> If you've upgraded a testing/unstable system in the past month or two,
> you'll find that key has been automatically added to your apt key list,
> after being verified by the normal trust path for upgraded packages --
> namely the current archive key you've been using, then the sha1sum of
> the Packages file and finally the md5sum of the apt package containing
> the updated key.
> Debian developers can obtain the key from merkel over ssh, by looking
> in /srv/ftp.debian.org/web/archive-key-4.0.asc. The key id is 6070D3A1
> which can be obtained from the key servers with signatures from both me
> and Steve Langasek.
> Cheers,
> aj

Attachment: signature.asc
Description: Digital signature

Reply to: