On Mon, Feb 05, 2007 at 04:14:07PM -0500, Joey Hess wrote: > Seems you have still missed replying to this.
> The 2006 key expires on the 7th and is still being used to sign the > archive. > If this is being used as an empirical way to find out what breakas, fine. > So far all I know of is debmirror << 20070123. But I wish you could at > least answer my mails about it. FWIW, an additional problem was brought up on IRC last night -- apparently the new key is not yet being used to sign the security.d.o archive, only the old key that will be expiring shortly. > Joey Hess wrote: > > I think you may have missed replying to this. I'd really like to know > > what's going to happen with the 2006 key expiry. > > > > Joey Hess wrote: > > > Anthony Towns wrote: > > > > The key we'll be using (and indeed are already using) is available as: > > > > > > > > http://ftp-master.debian.org/archive-key-4.0.asc > > > > > > > > It's expected to be valid until sometime after lenny is released. > > > > > > I feel that we've been pretty miserable at communicating this stuff to > > > our developers and our users. While I knew about the etch key (hard to > > > miss it, given the ugly behavior it caused in apt when the archive was > > > signed with it, before it reached debian-archive-keyring), it wasn't at > > > all clear that it would be used to sign anything other than etch. > > > > > > I've tried to update http://wiki.debian.org/SecureApt to reflect what > > > you've said. > > > > > > I'm still not clear what will happen to the still existing yearly signing > > > key though. It's hard to predict what will happen if we reach > > > 2007-02-07 and 2D230C5F expires. I think that due to #400526, it will at > > > least break debmirror. If we're phasing out the yearly signing key, we > > > should be sure to stop signing the archive with it, before it expires. > > > Obviously, if we're not phasing it out, we have a rapidly shrinking > > > window to create the 2007 key. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
