On Sunday 15 February 2009 13:39:16 Kent West wrote:
> So I am correct in believing that someone who is upgrading from an etch
> stable system to Lenny will be presented with this quandary that he
> can't trust the Lenny repository until he first trusts the Lenny
> repository?

No, they will get the error/warning that one of the two signatures is from a 
key that is not in the keyring.  Aptitude, apt, etc. will still report the 
packages as trusted (and not further complain) since one of the signatures is 
good and trusted.

As part of the upgrade to Lenny, you'll get the second key added to your 
trusted keyring and both the the two signatures will be good and trusted until 
Debian drops the signature made with the old key from the mirrors.  (The old 
key expires in June, I think.)
Boyd Stephen Smith Jr.                   ,= ,-_-. =.
b...@iguanasuicide.net                   ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy         `-'(. .)`-'
http://iguanasuicide.net/                    \_/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to