On Wed, Jul 26, 2006 at 04:22:12PM +0100, martin f krafft wrote: > The way I envision key management is that every Debian machine > trusts the SPI CA. Then we provide a page to download and verify > keys, protected by SSL/TLS. Finally, we give the user easy-to-use > tools to install these keys, and proper error messages from APT that > will make it obvious what to do. > > I don't think it's asking too much of our users to manually declare > trust for a new release. But we should definitely get rid of the > one-year-long archive keys, which make no sense. Instead, have a key > for etch, one for sid, one for etch+1, one for security, and so on. > The user can then pick which ones s/he wants to trust.
While we're at it, I am very much in favor that we start accepting binary package signatures again. We were on the right way to assure package integrity on a package level when our archive suddenly stopped accepting signed binary packages. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
