Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On 2016-08-10 12:55, Ian Jackson wrote:
> Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re:
> Key collisions in the wild"):
> > On 2016-08-10 11:39, Ian Jackson wrote:
> > > It would be much better to put out a stable release update to change
> > > the default.  (Probably not a security update because of the risk of
> > > causing currently-vulnerable scripts to become nonfunctional, which is
> > > not something we normally do in security updates.)
> >
> > Stable updates in point releases aren't fundamentally different in 
> > that
> > respect to those issued via the security archive.
>
> I was under the impression that the intent was that there was a
> meaningful distinction in the level of conservativeness between "take
> security updates" and "take security updates and stable updates too".
>
> If that's not the case, then I don't understand what the distinction
> is.

That depends on what you mean by "stable updates". If you mean those 
announced via debian-stable-announce@ then the primary difference is 
that they don't need to be (and often won't be) security-related. If 
you're talking about point releases, then from a security perspective 
the fundamental difference is the speed at which updates are made 
available to users.

Not all security updates are released via the security archive, but the 
difference is more likely to be a result of the manpower available to 
handle managing and releasing such updates and the perceived impact of 
the vulnerability. "We" assume that the majority of users will upgrade 
to stable point releases once they're available and there's a 
corresponding expectation on the part of our users as to what kind of 
updates will be included; the decision as to whether to break existing 
setups shouldn't be fundamentally different simply based on how the 
update was released.

Regards,

Adam