[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Archive signing key for 2007?

Frans Pop <elendil@planet.nl> writes:

> On Thursday 15 February 2007 13:44, Goswin von Brederlow wrote:
>> > This includes my (partial) local mirror. Let's just say that this
>> > would seriously impact my work on D-I and the release.
>> Slightly off the topic but does that (still) work fine for you?
> Yes, debmirror works fine here. Apparently they stopped using the old key 
> in time.
>> I heard reports that D-I won't install from the netboot/busybox medium
>> if the signature can't be verified.
>> It would be very bad if the key expirey breaks D-I in the future.
> This has been "solved" by changing from using yearly keys to using release 
> keys. It is just that RC1 did not contain the release key yet.

So I take it that it is impossible to install from a partial mirror
that has its own signature. Like a reprepro archive or apt-move/fetch
+ apt-ftparchive. Or does the user get the choice of ignoring the
signature failure and install from an untrusted source?

> So this should not be an issue in the future as long as release keys don't 
> get revoked (but then things _should_ break and new images with new keys 
> made available anyway).

Should they? I still think the new key should be fetched, signatures
verified and then the user should be given a choice to trust the new
key or not. Having to burn new CDs is such a waste of CDs.

> I see the Etch key is valid only until 01 July 2009, so after that date 
> this _will_ be a problem. By then Etch should hopefully be "oldstable", 
> but having a working installer for oldstable is still a good thing...

Lets put a "Good before 01 July 2009" sticker on the cover art. :)

> Cheers,


Reply to: