Re: Archive signing key for 2007?
On Fri Jan 19, 2007 at 13:01:45 +0100, Goswin von Brederlow wrote:
> Anthony Towns <email@example.com> writes:
> > On Thu, Jan 11, 2007 at 11:51:21PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> >> I thought that the 2007 key was (based on ) supposed to be available
> >> early in January and available in the debian-archive-keyring package. Which
> >> doesn't seem to be the case.
> > The key we'll be using (and indeed are already using) is available as:
> > http://ftp-master.debian.org/archive-key-4.0.asc
> > It's expected to be valid until sometime after lenny is released.
> > If you've upgraded a testing/unstable system in the past month or two,
> > you'll find that key has been automatically added to your apt key list,
> > after being verified by the normal trust path for upgraded packages --
> > namely the current archive key you've been using, then the sha1sum of
> > the Packages file and finally the md5sum of the apt package containing
> > the updated key.
> > Debian developers can obtain the key from merkel over ssh, by looking
> > in /srv/ftp.debian.org/web/archive-key-4.0.asc. The key id is 6070D3A1
> > which can be obtained from the key servers with signatures from both me
> > and Steve Langasek.
> > Cheers,
> > aj
> Does that mean etch will not be signed by an offline key? Was stable
> ever signed with an offline key?
> I think signing stable with an online key without passphrase is a
> serious loss/lack of trustiness in it. It means that if the archive
> gets compromised then stable package can be replaced without apt
Stable will be signed by both, online and offline key. Also every point
release will be signed by both keys.
[root@debian /root]# man real-life
No manual entry for real-life