Re: Archive GPG key expiring process
> I am just wondering about a hypothetical situation where the master GPG key
> used for signing the debian archive was stolen. After creating a new master
> key and getting a new public key into the debian-keyring package, how would
> you get that to users?
> I mean if you resigned the release file after the attack happened with a
> new master key that would mean nobody could apt-get the debian-keyring
> package for the new public key.
> I am wondering if I am missing something. Is there a process for this
Debian has no good mechanism to revoke apt keys in case of compromise,
neither a way to inform users in emergency situations:
An apt key revoker should be written:
It's on my list, but I never got to it:
So anyone feel encouraged to do something about it.