[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Archive GPG key expiring process


I am just wondering about a hypothetical situation where the master GPG key used for signing the debian archive was stolen. After creating a new master key and getting a new public key into the debian-keyring package, how would you get that to users? 

I mean if you resigned the release file after the attack happened with a new master key that would mean nobody could apt-get the debian-keyring package for the new public key.

I am wondering if I am missing something. Is there a process for this possibility?  

David Hubner
Software Engineer


Smoothwall Ltd
1 John Charles Way, Leeds, LS12 6QA United Kingdom
Telephone:  USA: 1 800 959 3760  Europe: +44 (0) 8701 999500

Smoothwall Limited is registered in England, Company Number: 4298247.  This email and any attachments transmitted with it are confidential to the intended recipient(s) and may not be communicated to any other person or published by any means without the permission of Smoothwall Limited.  Any opinions stated in this message are solely those of the author.

Reply to: