Re: Archive signing key for 2007?
On Mon, Feb 05, 2007 at 04:14:07PM -0500, Joey Hess wrote:
> Seems you have still missed replying to this.
> The 2006 key expires on the 7th and is still being used to sign the
> If this is being used as an empirical way to find out what breakas, fine.
> So far all I know of is debmirror << 20070123. But I wish you could at
> least answer my mails about it.
FWIW, an additional problem was brought up on IRC last night -- apparently
the new key is not yet being used to sign the security.d.o archive, only the
old key that will be expiring shortly.
> Joey Hess wrote:
> > I think you may have missed replying to this. I'd really like to know
> > what's going to happen with the 2006 key expiry.
> > Joey Hess wrote:
> > > Anthony Towns wrote:
> > > > The key we'll be using (and indeed are already using) is available as:
> > > >
> > > > http://ftp-master.debian.org/archive-key-4.0.asc
> > > >
> > > > It's expected to be valid until sometime after lenny is released.
> > >
> > > I feel that we've been pretty miserable at communicating this stuff to
> > > our developers and our users. While I knew about the etch key (hard to
> > > miss it, given the ugly behavior it caused in apt when the archive was
> > > signed with it, before it reached debian-archive-keyring), it wasn't at
> > > all clear that it would be used to sign anything other than etch.
> > >
> > > I've tried to update http://wiki.debian.org/SecureApt to reflect what
> > > you've said.
> > >
> > > I'm still not clear what will happen to the still existing yearly signing
> > > key though. It's hard to predict what will happen if we reach
> > > 2007-02-07 and 2D230C5F expires. I think that due to #400526, it will at
> > > least break debmirror. If we're phasing out the yearly signing key, we
> > > should be sure to stop signing the archive with it, before it expires.
> > > Obviously, if we're not phasing it out, we have a rapidly shrinking
> > > window to create the 2007 key.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.