Re: Archive signing key for 2007?
Frans Pop <firstname.lastname@example.org> writes:
> On Thursday 15 February 2007 13:44, Goswin von Brederlow wrote:
>> > This includes my (partial) local mirror. Let's just say that this
>> > would seriously impact my work on D-I and the release.
>> Slightly off the topic but does that (still) work fine for you?
> Yes, debmirror works fine here. Apparently they stopped using the old key
> in time.
>> I heard reports that D-I won't install from the netboot/busybox medium
>> if the signature can't be verified.
>> It would be very bad if the key expirey breaks D-I in the future.
> This has been "solved" by changing from using yearly keys to using release
> keys. It is just that RC1 did not contain the release key yet.
So I take it that it is impossible to install from a partial mirror
that has its own signature. Like a reprepro archive or apt-move/fetch
+ apt-ftparchive. Or does the user get the choice of ignoring the
signature failure and install from an untrusted source?
> So this should not be an issue in the future as long as release keys don't
> get revoked (but then things _should_ break and new images with new keys
> made available anyway).
Should they? I still think the new key should be fetched, signatures
verified and then the user should be given a choice to trust the new
key or not. Having to burn new CDs is such a waste of CDs.
> I see the Etch key is valid only until 01 July 2009, so after that date
> this _will_ be a problem. By then Etch should hopefully be "oldstable",
> but having a working installer for oldstable is still a good thing...
Lets put a "Good before 01 July 2009" sticker on the cover art. :)