Anthony Towns <[email protected]> writes: > On Thu, Jan 11, 2007 at 11:51:21PM +0100, Javier Fern?ndez-Sanguino Pe?a > wrote: >> I thought that the 2007 key was (based on [1]) supposed to be available >> early in January and available in the debian-archive-keyring package. Which >> doesn't seem to be the case. > > The key we'll be using (and indeed are already using) is available as: > > http://ftp-master.debian.org/archive-key-4.0.asc > > It's expected to be valid until sometime after lenny is released. > > If you've upgraded a testing/unstable system in the past month or two, > you'll find that key has been automatically added to your apt key list, > after being verified by the normal trust path for upgraded packages -- > namely the current archive key you've been using, then the sha1sum of > the Packages file and finally the md5sum of the apt package containing > the updated key.
Interesting -- are there any formal procedures for the official signing key? I mean, how is the key generated, where is it stored, who has access to it, is it on an online machine etc? I think describing this would be useful, as a case-study of how to manage an important key on a best-effort basis. /Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
