Re: Secure APT Key Management

To: Debian Release Preparations <debian-release@lists.debian.org>
Subject: Re: Secure APT Key Management
From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 26 Jul 2006 21:51:09 +0200
Message-id: <[🔎] 878xmgqh5e.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20060726120111.GF1655@finlandia.home.infodrom.org> (Martin Schulze's message of "Wed, 26 Jul 2006 14:01:11 +0200")
References: <[🔎] 20060726120111.GF1655@finlandia.home.infodrom.org>

* Martin Schulze:

> I'd really love to see this feature properly implemented.

The only approach which is known to work is static keys for stable
releases and stable security updates.  The keys can be stored off-line
or on-line, at the discretion of the respective teams.

So far, we have botched all yearly key rollovers, and there is zero
evidence that we'll get the first one that reallly matters right.
Unfortunately, the key rollover approach is generally assumed to be
required to achieve a decent level of security and strongly preferred
over the alternatives.  Needless to say, I very strongly disagree with
that position.

(IIRC, -release is not a discussion list, so details such be discussed
elsewhere.)

>From a release engineering view, the last possible date at which APT
key material can be included in d-i would be interesting, I guess.

Reply to:

Follow-Ups:
- Re: Secure APT Key Management
  - From: Joey Hess <joeyh@debian.org>
- Re: Secure APT Key Management
  - From: Raphael Hertzog <hertzog@debian.org>

References:
- Secure APT Key Management
  - From: Martin Schulze <joey@infodrom.org>

Prev by Date: Re: Secure APT Key Management
Next by Date: Re: Secure APT Key Management
Previous by thread: Re: Secure APT Key Management
Next by thread: Re: Secure APT Key Management
Index(es):
- Date
- Thread