Re: Archive GPG key expiring process

2014-10-18 Thread Patrick Schleizer
Yves-Alexis Perez: > On sam., 2014-10-18 at 13:55 +, Patrick Schleizer wrote: >> Otherwise, what are the relevant people, how to contact them? > > You can find some hints in > https://lists.debian.org/debian-security/2013/10/msg00066.html > > If it's really that hard, here are some pointers.

Re: Archive GPG key expiring process

2014-10-18 Thread Yves-Alexis Perez
On sam., 2014-10-18 at 13:55 +, Patrick Schleizer wrote: > Otherwise, what are the relevant people, how to contact them? You can find some hints in https://lists.debian.org/debian-security/2013/10/msg00066.html If it's really that hard, here are some pointers. DSA: https://dsa.debian.org/ (l

Re: Archive GPG key expiring process

2014-10-18 Thread Patrick Schleizer
Yves-Alexis Perez: > On ven., 2014-10-17 at 17:14 +, Patrick Schleizer wrote: >> Debian has no good mechanism to revoke apt keys in case of compromise, >> neither a way to inform users in emergency situations: >> https://lists.debian.org/debian-security/2013/10/msg00065.html > > The only infor

Re: Archive GPG key expiring process

2014-10-18 Thread Yves-Alexis Perez
On ven., 2014-10-17 at 17:14 +, Patrick Schleizer wrote: > Debian has no good mechanism to revoke apt keys in case of compromise, > neither a way to inform users in emergency situations: > https://lists.debian.org/debian-security/2013/10/msg00065.html The only information is that thread (which

Re: Archive GPG key expiring process

2014-10-17 Thread Patrick Schleizer
David Hubner: > Hi, > > I am just wondering about a hypothetical situation where the master GPG key > used for signing the debian archive was stolen. After creating a new master > key and getting a new public key into the debian-keyring package, how would > you get that to users? > > I mean if yo

Re: Archive GPG key expiring process

2014-10-17 Thread rush
Hi, That is not correct. Missing key does not disable installation feature of package manager. 1. You can import key manually. Like this: sudo apt-key adv –keyserver subkeys.pgp.net –recv-keys XX 2. Even with non-imported key apt-get/aptitude will allow you to install software (includin

Archive GPG key expiring process

2014-10-17 Thread David Hubner
Hi, I am just wondering about a hypothetical situation where the master GPG key used for signing the debian archive was stolen. After creating a new master key and getting a new public key into the debian-keyring package, how would you get that to users? I mean if you resigned the release file af