Re: Emdebian archive key for Lenny

To: Neil Williams <codehelp@debian.org>, debian-release@lists.debian.org
Subject: Re: Emdebian archive key for Lenny
From: Luk Claes <luk@debian.org>
Date: Sat, 31 Jan 2009 23:53:59 +0100
Message-id: <[🔎] 4984D687.1010300@debian.org>
In-reply-to: <[🔎] 20090131160817.GM19280@chistera.yi.org>
References: <20081222104338.c147275a.codehelp@debian.org> <495B7AAF.4030903@debian.org> <20081231145947.727fe439.codehelp@debian.org> <[🔎] 20090106125413.GB22378@chistera.yi.org> <[🔎] 20090107203807.29b18e5e.codehelp@debian.org> <[🔎] 20090131160817.GM19280@chistera.yi.org>

Adeodato Simó wrote:
> * Neil Williams [Wed, 07 Jan 2009 20:38:07 +0000]:
> 
>> On Tue, 6 Jan 2009 13:54:13 +0100
>> Adeodato Simó <dato@net.com.org.es> wrote:
> 
>>> * Neil Williams [Wed, 31 Dec 2008 14:59:47 +0000]:

>>> There is a variation of this, which consist in us signing your Release
>>> file at the time of Lenny release. This has the advantage that, should
>>> either the Emdebian server or the Emdebian key become compromised,
>>> installation using d-i is not compromised.
> 
>> There may be a short delay - depending on exactly when the Lenny
>> release is made but I'm sure we can cope with that. There is nothing in
>> the Emdebian Grip stable distribution at this time and it would be
>> simple to coordinate the migration of the packages and signing of the
>> Release files on #debian-release.
> 
>> Would debian-release want to do any checks on the repository itself or
>> simply verify the signature on the Release file by the Emdebian key?
>> Wookey can arrange access to the Emdebian server.
> 
>> Signing the stable Release file with the Emdebian key will be a manual
>> process, once I'm happy that the migration of packages into stable has
>> been complete and matches Lenny within the subset of packages supported
>> by Grip at the time of the release.
> 
> I'd personally ask that you hand us a copy of the Release file signed
> with *your* personal key (or, if gpg supports it, which I think it does,
> with the two keys).

It does support it.

>> What is the process for signing the Debian Release files?
> 
> A stable RM signs the Release file, and hands the result to ftpmaster --
> in this case, you.

Indeed, for a stable (point) release that means after we do some checks
(probably should be automated more so we don't overlook anything).

> I'm Bcc'ing the stable RMs so that they confirm they would be okay with
> signing Emdebian Release files. (Sorry I didn't quote all the text, I
> thought of the Bcc later. Full thread is on -release.)

Well, if it's me who is going to sign, then I want to do some checks to
verify that everything looks more or less ok.

Cheers

Luk

Reply to:

References:
- Re: Emdebian archive key for Lenny
  - From: Adeodato Simó <dato@net.com.org.es>
- Re: Emdebian archive key for Lenny
  - From: Neil Williams <codehelp@debian.org>
- Re: Emdebian archive key for Lenny
  - From: Adeodato Simó <dato@net.com.org.es>

Prev by Date: Re: approval for nagios-plugins 1.4.12-5?
Next by Date: Re: Please unblock apticron 1.1.27 for lenny
Previous by thread: Re: Emdebian archive key for Lenny
Next by thread: Please unblock dctrl-tools/2.13.1
Index(es):
- Date
- Thread