Re: Archive GPG key expiring process

To: debian-security@lists.debian.org
Subject: Re: Archive GPG key expiring process
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Fri, 17 Oct 2014 17:14:37 +0000
Message-id: <[🔎] 54414E7D.7040007@riseup.net>
In-reply-to: <[🔎] CAHkeM_ALR-swnSLvW+ZDh-B9RdtrECFELPbFP84TQ8T1u08gAQ@mail.gmail.com>
References: <[🔎] CAHkeM_ALR-swnSLvW+ZDh-B9RdtrECFELPbFP84TQ8T1u08gAQ@mail.gmail.com>

David Hubner:
> Hi,
> 
> I am just wondering about a hypothetical situation where the master GPG key
> used for signing the debian archive was stolen. After creating a new master
> key and getting a new public key into the debian-keyring package, how would
> you get that to users?
> 
> I mean if you resigned the release file after the attack happened with a
> new master key that would mean nobody could apt-get the debian-keyring
> package for the new public key.
> 
> I am wondering if I am missing something. Is there a process for this
> possibility?
> 
> Thanks
> 

Debian has no good mechanism to revoke apt keys in case of compromise,
neither a way to inform users in emergency situations:
https://lists.debian.org/debian-security/2013/10/msg00065.html

An apt key revoker should be written:
https://lists.debian.org/debian-security/2013/12/msg00031.html

It's on my list, but I never got to it:
https://github.com/Whonix/Whonix/issues/125

So anyone feel encouraged to do something about it.

Cheers,
Patrick

Reply to:

Follow-Ups:
- Re: Archive GPG key expiring process
  - From: Yves-Alexis Perez <corsac@debian.org>

References:
- Archive GPG key expiring process
  - From: David Hubner <david.hubner@smoothwall.net>

Prev by Date: Re: Archive GPG key expiring process
Next by Date: Re: Upcoming stable point release (7.7)
Previous by thread: Re: Archive GPG key expiring process
Next by thread: Re: Archive GPG key expiring process
Index(es):
- Date
- Thread