Archive GPG key expiring process
I am just wondering about a hypothetical situation where the master GPG key used for signing the debian archive was stolen. After creating a new master key and getting a new public key into the debian-keyring package, how would you get that to users?
I mean if you resigned the release file after the attack happened with a new master key that would mean nobody could apt-get the debian-keyring package for the new public key.
I am wondering if I am missing something. Is there a process for this possibility?
1 John Charles Way, Leeds, LS12 6QA United Kingdom
Telephone: USA: 1 800 959 3760 Europe: +44 (0) 8701 999500
Smoothwall Limited is registered in England, Company Number: 4298247. This email and any attachments transmitted with it are confidential to the intended recipient(s) and may not be communicated to any other person or published by any means without the permission of Smoothwall Limited. Any opinions stated in this message are solely those of the author.