Which key to use for signing oldstable-*?

To: ftpmaster@debian.org, debian-release@lists.debian.org
Subject: Which key to use for signing oldstable-*?
From: Ansgar Burchardt <ansgar@debian.org>
Date: Thu, 24 Oct 2013 22:50:44 +0200
Message-id: <[🔎] 87ppqufl5n.fsf@deep-thought.43-1.org>

Hi,

Phillip Kern noticed we use the new Wheezy automatic signing key for
squeeze-updates, but not for squeeze-security and asked to change the
former back to the Squeeze key.

I looked at the archive to see what was done in the past and noticed
that the Squeeze key was used to sign the last Lenny point release. Same
for etch and etch-security (signed with the Lenny key). However
lenny-security was signed with a different key (the Lenny key). So it
seems this wasn't handled consistently in the past.

There are three options:

a, Continue to use the old key for oldstable,
   i.e. sign all squeeze suites (including -security, -updates) with
   the "Debian Archive Automatic Signing Key (6.0/squeeze)" key.
   All other suites would be signed with the current key.
b, always use the current key,
   i.e. sign everything with "Debian Archive Automatic Signing Key
   (7.0/wheezy)",
or
c, use the old and current key for oldstable, and only the current key
   for the rest.

For brevity I omitted the transition phase that may use more that one
key.

I tend towards (a) or (c) as the newer keys are often introduced in a
point release and an r0 installer might not trust the newer key (and
only "oldstable" itself is signed with the release team's key, -security
and other suites are not).

Ansgar

Reply to:

Follow-Ups:
- Re: Which key to use for signing oldstable-*?
  - From: Philipp Kern <pkern@google.com>

Prev by Date: Bug#727639: pu: package xfce4-weather-plugin/0.7.4-3+b1
Next by Date: Bug#727647: opu: package xfce4-weather-plugin/0.7.3-3+squeeze2
Previous by thread: Processed: Re: Bug#727639: pu: package xfce4-weather-plugin/0.7.4-3+b1
Next by thread: Re: Which key to use for signing oldstable-*?
Index(es):
- Date
- Thread