Hi, On Fri Jan 19, 2007 at 13:01:45 +0100, Goswin von Brederlow wrote: > Anthony Towns <aj@azure.humbug.org.au> writes: > > > On Thu, Jan 11, 2007 at 11:51:21PM +0100, Javier Fern?ndez-Sanguino Pe?a > > wrote: > >> I thought that the 2007 key was (based on [1]) supposed to be available > >> early in January and available in the debian-archive-keyring package. Which > >> doesn't seem to be the case. > > > > The key we'll be using (and indeed are already using) is available as: > > > > http://ftp-master.debian.org/archive-key-4.0.asc > > > > It's expected to be valid until sometime after lenny is released. > > > > If you've upgraded a testing/unstable system in the past month or two, > > you'll find that key has been automatically added to your apt key list, > > after being verified by the normal trust path for upgraded packages -- > > namely the current archive key you've been using, then the sha1sum of > > the Packages file and finally the md5sum of the apt package containing > > the updated key. > > > > Debian developers can obtain the key from merkel over ssh, by looking > > in /srv/ftp.debian.org/web/archive-key-4.0.asc. The key id is 6070D3A1 > > which can be obtained from the key servers with signatures from both me > > and Steve Langasek. > > > > Cheers, > > aj > > Does that mean etch will not be signed by an offline key? Was stable > ever signed with an offline key? > > I think signing stable with an online key without passphrase is a > serious loss/lack of trustiness in it. It means that if the archive > gets compromised then stable package can be replaced without apt > noticing.
Stable will be signed by both, online and offline key. Also every point release will be signed by both keys. Greetings Martin -- [EMAIL PROTECTED] /root]# man real-life No manual entry for real-life -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]