Re: Secure APT Key Management
Raphael Hertzog wrote:
> > > I'd really love to see this feature properly implemented.
> > The only approach which is known to work is static keys for stable
> > releases and stable security updates. The keys can be stored off-line
> > or on-line, at the discretion of the respective teams.
> > So far, we have botched all yearly key rollovers, and there is zero
> > evidence that we'll get the first one that reallly matters right.
> > Unfortunately, the key rollover approach is generally assumed to be
> > required to achieve a decent level of security and strongly preferred
> > over the alternatives. Needless to say, I very strongly disagree with
> > that position.
> Why don't we put two signatures ? One from a yearly key and one from a
> release key.
The release key could also be stored off-site on a floppy/cd/usb-stick
and only be used when when the released release is updated (i.e. when
a point release is made). This reduces the chance of this key to be
compromised, since it wouldn't be stored on the net as updates are
only done very infrequently.
Let's call it an accidental feature. -- Larry Wall