[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian APT Key Revocation Procedure

I think the big issue here is that you need to be part of the 'in crowd' to know that the DSA team is reached via the debian-admin list.  It's not logical, IMHO, for these to be related.  I don't believe that these two teams completely ignore the debian-security lists, as they obviously(IMHO) have stake in the security aspect of Debian.

There is likely and should be a few ppl, not necessarily members, watching debian-security that could forward on an FYI to these teams.  I don't think it's right to try and teach EVERYONE the layout of the land, instead such postings should be forwarded to the correct team without needing to involve the individual "trying to help" with the local and internal politics.

I say this only because it's logical to outsiders that these teams be reachable here and thus they should be, even if they are not.

Cheers.


On Fri, Nov 1, 2013 at 12:10 PM, Henrique de Moraes Holschuh <hmh@debian.org> wrote:
On Thu, 31 Oct 2013, adrelanos wrote:
> But what could you do with the revocation certificate?
>
> Only manually spread the news and ask users to obtain the revocation
> certificate?

We would widely publish that information, that's a given.  But it is not the
only way to publish the revocation certificate and the replacement keys.

> Or will the apt on Debian user's machines somehow learn about that
> revocation certificate? If so, how does that procedure work? Where is it
> configured?

I believe we'd deploy a security update of the "debian-archive-keyring"
package, with the updated key material and revocation certificates.  There
are backup keys to allow for key rollover.

Now, this does NOT address all scenarios.  It is not a perfect solution.

For a more precise answer, please ask the debian-admin ML.

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 20131101171006.GA1597@khazad-dum.debian.net" target="_blank">http://lists.debian.org/[🔎] 20131101171006.GA1597@khazad-dum.debian.net


Reply to: