Hi, On 23.12.2013 17:48, Daniel Kahn Gillmor wrote: > But if apache is issuing cryptographic signatures from any of the weak > keys in KEYS, we should encourage them to stop doing so. Apache's > source code is a high-value target, and we should not leave the software > distribution mechanism open to fiddling based on weak keys for > cryptographic certifications. [..] > I recommend filtering KEYS by removing every key whose primary key (or > any signing-capable subkey) is less than 3072 bits (assuming RSA or DSA > keys here) before storing it in debian/upstream-signing-key,pgp.
I'm absolutely with you on that. I strongly agree that Apache people should use stronger keys. However, we're a distribution - it's not our job to define key requirements for upstreams. We can, and maybe should talk to them on that matter but technically it's not only Jim to be allowed to release new versions of the Apache web server. That being said, it's them to accept/define valid and legit keys used within their project. Therefore, I thought a more complete patch would be a keyring which includes all signatures of people allowed to sign and release code on behalf of the httpd project. I do not mind removing "weak" keys again, but then I wonder if there is an actual benefit if Jim for once doesn't sign a release. Either way, we should move this discussion to upstream I guess. -- with kind regards, Arno Töll IRC: daemonkeeper on Freenode/OFTC GnuPG Key-ID: 0x9D80F36D
signature.asc
Description: OpenPGP digital signature