[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#345891: needs update for new archive key

On Fri, Jan 06, 2006 at 05:21:04PM +1100, Andrew Vaughan wrote:
> Hi

> Further things to consider.  Apologies if I these have already been handled.

> 1. Dec 2006 Etch releases.  Jill downloads and burns etch install cd.
>    Jan 2007, old archive key expires, new archive key issued.
>    Jan 2008, old archive key expires, new archive key issued.
>    Mar 2008, Jill tries to install from the cd created in Dec 2006.  

>    Will that work?

>    Will that work if all debian-archive-keys were revoked/replaced in
>    mid 2007?

The ISO images are generated on a different machine from ftp-master, with
their own Release files which must be signed by a separate key.  The policy
for those keys (and for keys used for signing stable in general?) probably
needs to be separate from that used on the ftp archive.

Anyway, if by "install" you mean "fresh install", rather than just "install
some packages from this CD", the keys contained *on* the CD are ultimately
trusted (as is the rest of the software on the CD at time of install,
basically) at least until the point when you add some external apt source
that pulls revocation certificates from the network.  So doing an install
from the CD should work fine, as long as the CD-signing key has no
expiration date or one sufficiently far in the future to cover our
worst-case needs for etch, or we provide some override in the CD to allow
installing with an ancient signature.  Either way, I think ISOs pose much
less of a problem for us than ftp apt sources for stable.

> 2. security.d.o will (presumably) also be signed. 
>    Will that be using the same key?

I don't see any good reason to use the same key, given that they're on
separate systems.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply to: