Source: mini-buildd Version: 1.0.7 Severity: wishlist Hi,
while investigating a way to address #790775, I noticed that my old archive signing key is only a 1024D key which needs to be replaced ASAP. Thinking further caused me to notice that mini-buildd needs a way to implement archive key rollover. I didn't see anything about this in the docs. I think a possible way would be to add a way to the webinterface to manage daemon keys. The natural way to do this would probably be in the "Change Daemon" dialog, where a Gnupg template is already listed. That dialog would grow a enable-disable field (I don't know how this is called in web development, I mean the thing that is for example in E-Mail options under "notify", with a number of available keys in the left pane and a number of keys being used in the right pane. By adding to this list, one would either have the possibility to have mini-buildd call gpg --gen-key oneself or one would have the possibility to paste an ascii armored private key to cover the migration key. The keyring packages that can be generated from the web interface would contain _all_ keys configured here, while the archive would be signed with the one selected key to be currently used. That way, a key rollover could be accomplished by: - generate new key and add to the key list. - keep old key as archive signing key. - rebuild keyring packages - roll out keyring packages to all systems - once rollout is completed: - configure mini-buildd to use new key as archive signing key - remove old key from key list - rebuild keyring packages - roll out keyring packages to all systems A migration setting from an old mini-buildd/reprepro setup would be: - install mini-buildd with default values - a new key would be generated - the admin could then add the old key to the key list and select it to be used as archiv signing key - rebuild keyring packages - roll out keyring packages to all systems - once rollout is completed: - configure mini-buildd to use new key as archive signing key - remove old key from key list - rebuild keyring packages - roll out keyring packages to all systems This mechanism is, however, a strict wishlist item for the future. Greetings Marc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
