Re: ziyi_2005 key's main signatures not in debian-keyring
On Wed, 16 Feb 2005, Todd Troxell wrote:
> On Mon, Feb 14, 2005 at 02:01:04PM +0100, martin f krafft wrote:
> > Moreover, my problem is that the debian-keyring package is outdated.
> > Thus I wonder whether it does more harm than good.
>
> Does this package serve a purpose at all if it's outdated?
>
> It does seem that we should either get it right or dump it. Would this be a
> good candidate for volatile?
It would be THE candidate for volatile, and it *can* be automatically
generated from a known-good and trusted source (AFAIK it is possible to have
a trusted path to the master keyrings, which are available through rsync
even).
Update the package every time the master keyrings are updated, and its
usefulness will increase quite a lot. Now you only have to react to a
reminder that says "please sign and upload the automatically generated
package, there were changes in the keyring today", which should be quite
fast.
There is an alternative. Make it an "installer and updater" package that
gets the keyrings using rsync/zsync and keeps them updated (download once
every week, at a random time so as not to cause a horde effect...). I would
still prefer an auto-updaded package with the keyring data itself, since
that is far more server-friendly.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: