On Tue, Jan 03, 2006 at 11:07:37PM -0500, Joey Hess wrote: > Package: apt > Version: 0.6.43 > Severity: serious > Tags: d-i
Thanks for your bugreport and sorry for my late reply. > apt needs to be updated for this year's archive key which is apparently > the one at http://ftp-master.debian.org/ziyi_key_2006.asc The new key is added to my baz repository and it will be part of the next (very soon) upload. > I'm tagging this bug d-i because not having the key up-to-date in apt > breaks new installations since apt doesn't work, and will begin breaking > d-i even worse once the old archive key expires. The updated default key in apt means that new installs will be fine, but we need a better system for upgrades (see below). > FWIW, I think that the archive key should be split out into a new > package that can be updated more easily than apt, but for now a quick > fix is called for. I think the same. My proposal is to create a new debain-server-keyring [1] package that conatins: /usr/share/keyrings/debian-archive-keyring.gpg /usr/share/keyrings/debian-archive-removed-keys.gpg and calls "apt-key update" in it's postinst. apt-key update will add new keys from "debian-archive-keyring.gpg" via "apt-key add" and remove keys in debian-archive-removed-keys.gpg via "apt-key del". This way installing/updating the package will ensure that new keys are added as required and obsolete keys can be removed. Because the keys are part of a package and the package is covered with the trust-chain there is no trust-chain violation. If people are happy with my proposal I'll prepare and upload such a package. Cheers, Michael [1] I think we should create a new package and not use debian-keyring because debian-keyring is pretty big. -- Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
