Daryl C. W. O'Shea wrote, On 19/01/10 3:41 PM: > Skimming... > > On 18/01/2010 9:10 PM, Sidney Markowitz wrote: >> There is a new signing key for the 3.3.0 release and which will be used >> for sa-update rules starting now. > > We're still going to use the old key for updates for 3.2, if we do them, > right? Forcing a key change for 3.2 would be bad, IMO.
The more I thought about it as I started to answer you the more confusing things I though of... First, are we going to update the 3.2 channel after 3.3.0 is released? If we aren't, then the key is irrelevant for 3.2. If we are, then are we going to ignore bug 5924 with regards to 3.2? Keeping the old key means that people who update on the 3.2 channel have to keep an old version of gpg installed. Finally, what was the reason for generating a new key rather than fixing bug 5924 by cross-signing the old one? Wasn't it a security reason? Was it because the old key was one of the flawed ones that resulted from that rng bug that made lots of people have to make new keys? If it's a security flaw, we have to go to the new one. -- sidney
