actually, there is no need for tons of documentation: the usage of the package debian-archive-keyring should really automate the whole thing, as long as it is done correctly:
1) release team generates new key and new package debian-archive-keyring 2) users install it : in postinst, /usr/bin/apt-key update is run 3) after some time (>10 days), release team starts using new key If done that way, it really works, and we have a trust path, since the new package debian-archive-keyring is certified by the old key. The problem is that , in this particular case, the new package debian-archive-keyring was released 22 Nov, and the new key was used almost immediately : so people using testing did not have time to import it. next time, they should just wait (at least 10 days - but maybe 30days would be better) a. Andreas Tille ha scritto: > On Tue, 21 Nov 2006, Kurt Roeckx wrote: > >> On Tue, Nov 21, 2006 at 04:50:29PM -0600, Peter Samuelson wrote: >>> >>> [Martin Zobel-Helas] >>>> gpg --recv-keys A70DAF536070D3A1 && (gpg --export -a >>>> A70DAF536070D3A1 | apt-key add -) >>> >>> Uh, don't forget the part about verifying that the key is actually >>> signed by the ftpmasters. Skipping that step pretty much defeats the >>> entire point. >>> >>> gpg --list-sigs A70DAF536070D3A1 >> >> Try gpg --check-sigs A70DAF536070D3A1 instead. > > But Hendrik Sattler is perfectly right and this knowledge has to be stored > at prominant places like: > > a) installation manual > b) apt-key.8 > c) perhaps somewhere else > > Could maintainers of a) and b) (and perhaps c) ;-)) acknowledge, that this > will be done or should we rather file bug reports (IMHO with severity > "important") to these packages? > > Kind regards > > Andreas. > > PS: debian-boot@lists.debian.org in CC because of the installation manual > issue. Forgive me if this should be off-topic there. >
signature.asc
Description: OpenPGP digital signature
