David Hubner: > Hi, > > I am just wondering about a hypothetical situation where the master GPG key > used for signing the debian archive was stolen. After creating a new master > key and getting a new public key into the debian-keyring package, how would > you get that to users? > > I mean if you resigned the release file after the attack happened with a > new master key that would mean nobody could apt-get the debian-keyring > package for the new public key. > > I am wondering if I am missing something. Is there a process for this > possibility? > > Thanks >
Debian has no good mechanism to revoke apt keys in case of compromise, neither a way to inform users in emergency situations: https://lists.debian.org/debian-security/2013/10/msg00065.html An apt key revoker should be written: https://lists.debian.org/debian-security/2013/12/msg00031.html It's on my list, but I never got to it: https://github.com/Whonix/Whonix/issues/125 So anyone feel encouraged to do something about it. Cheers, Patrick -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54414e7d.7040...@riseup.net