[MLUG] uncertainty about iceweasle backport keys; security risk, or groundless fretting?

[Brian van den Broek]

Hi all,

I am trying to install iceweasle 5.0 on crunchbang CrunchBang 10 Statler
r20110207 via the instructions at the page http://mozilla.debian.net/
(filled out with Squeeze, iceweasle, and release). I barely know what I
am doing here and would appreciate the list's input.
The page says that I ought expect the following when importing the
archive gpg keys:

$ wget -O- -q http://mozilla.debian.net/archive.asc | gpg --import
gpg: key 06C4AE2A: public key "Debian Mozilla team APT archive 
<pkg-mozilla-maintain...@lists.alioth.debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
$ gpg --check-sigs --fingerprint --keyring 
/usr/share/keyrings/debian-keyring.gpg 06C4AE2A
pub   4096R/06C4AE2A 2010-11-20 [expires: 2011-11-20]
      Key fingerprint = 85F0 6FBC 75E0 67C3 F305  C3C9 85A3 D265 06C4 AE2A
uid                  Debian Mozilla team APT archive 
<pkg-mozilla-maintain...@lists.alioth.debian.org>
sig!3        06C4AE2A 2010-11-20  Debian Mozilla team APT archive 
<pkg-mozilla-maintain...@lists.alioth.debian.org>
sig!         54FD2A58 2010-11-20  Mike Hommey <m...@glandium.org>

1 signature not checked due to a missing key


What I am getting is:

$ wget -O- -q http://mozilla.debian.net/archive.asc | gpg --import
gpg: key 06C4AE2A: public key "Debian Mozilla team APT archive 
<pkg-mozilla-maintain...@lists.alioth.debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found
$ gpg --check-sigs --fingerprint --keyring 
/usr/share/keyrings/debian-keyring.gpg 06C4AE2A
gpg: keyblock resource `/usr/share/keyrings/debian-keyring.gpg': file 
open error
pub   4096R/06C4AE2A 2010-11-20 [expires: 2011-11-20]
      Key fingerprint = 85F0 6FBC 75E0 67C3 F305  C3C9 85A3 D265 06C4 AE2A
uid                  Debian Mozilla team APT archive 
<pkg-mozilla-maintain...@lists.alioth.debian.org>
sig!3        06C4AE2A 2010-11-20  Debian Mozilla team APT archive 
<pkg-mozilla-maintain...@lists.alioth.debian.org>

2 signatures not checked due to missing keys


Below the expected terminal output, the page says:

  The latter message about signature not being checked is expected, as
  the archive key is signed by two keys, but only one being in the
  Debian keyring at a given moment: 54FD2A58 is an old key that is going
  to be deprecated and replaced with A6AA8C72. You can thus also expect
  the last signature validation to differ depending on the Debian
  keyring version you use.

That seems to me to imply that the expected state of affairs is indeed
that one of the two keys will be validated. I'm not sure if I ought to
be alarmed that neither is. Would people be inclined to forge ahead or
to take this as a sign that the repositories needed for iceweasle 5.0
might have been compromised?

Thanks and best,

Brian vdB
_______________________________________________
mlug mailing list
mlug@listserv.mlug.ca
https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca