Re: Which key to use for signing oldstable-*?

[Philipp Kern <pkern@google.com>]

Hey,

On Thu, Oct 24, 2013 at 1:50 PM, Ansgar Burchardt <ansgar@debian.org> wrote:

Phillip Kern noticed we use the new Wheezy automatic signing key for
squeeze-updates, but not for squeeze-security and asked to change the
former back to the Squeeze key.

not only does squeeze-security not use the wheezy key, the point release also used the old squeeze autobuilding key for the archive signature. I agree that we should stick to one approach that's then documented.

 

I looked at the archive to see what was done in the past and noticed
that the Squeeze key was used to sign the last Lenny point release. Same
for etch and etch-security (signed with the Lenny key). However
lenny-security was signed with a different key (the Lenny key). So it
seems this wasn't handled consistently in the past.

There are three options:

a, Continue to use the old key for oldstable,
   i.e. sign all squeeze suites (including -security, -updates) with
   the "Debian Archive Automatic Signing Key (6.0/squeeze)" key.
   All other suites would be signed with the current key.
b, always use the current key,
   i.e. sign everything with "Debian Archive Automatic Signing Key
   (7.0/wheezy)",
or
c, use the old and current key for oldstable, and only the current key
   for the rest.

If we pick c), does that mean three signatures for the point release and two signatures for the others?

Kind regards
Philipp Kern