Hi Matt, sorry about the long delay in this thread. I'd also like to apologize in advance for being a nuisance, but apparently there are no other volunteers :).
Matt Zimmerman wrote on 18.01.2004 [Re: Release.gpg files gone?]: > On Sun, Jan 18, 2004 at 06:30:11AM +0100, [EMAIL PROTECTED] wrote: > > > If you use apt-secure, this will make 'apt-get update' fail to download > > the Packages files (correctly, because the authenticity of the contents > > cannot be verified), meaning you (well, I :-|) could not download packages > > from woody. > > This may have been the case with apt-secure, but this functionality is now > merged into apt 0.6 (currently in experimental) in a different way which > does not prevent downloads of unauthenticated packages altogether. Instead, > it requires confirmation. While this may solve the problem you quoted, this was actually not my point of interest, and I'm a bit surprised that obviously nobody shares my worries. To reiterate: I wrote on 18.01.2004 [Re: Release.gpg files gone?]: > curiously, http://ftp-master.debian.org/ziyi_key_2004.asc contains key > 0x1DB114E0 whereas the key-servers seem to contain key 0x63EFD949 Point 1: There seems to be an incorrect key for [EMAIL PROTECTED] on the key servers. Am I misinterpreting something? Is this not alarming? At the least: where do I find the authoritative information on what key is the correct one? I doubt many of us have met [EMAIL PROTECTED] personally, so how is the web of trust supposed to work, supposing noone signs that key? I remember reading something about the keyservers not being able to correctly handle subkeys, but I believe this is not the source of this confusion, though I would be relieved to find out that I am wrong :). I am using gnupg 1.2.1-2 btw., which seems to be a sarge or sid download which installed under woody without dependency problems. Point 2: > If ziyi_key_2003 (0x38C6029A) was replaced by ziyi_key_2003v2 (0x30B34DD5) > after the server compromise, this indicates some concern that the private key > may have been exposed. Would it then not be MANDATORY to re-sign all Release > files with 2003v2 (or 2004 now)? After all, a signature with v1 provides NO > security - either that or the replacement of the key was unnecessary. With other words: woody's Release files are currently signed with a potentially compromised key that has in any case expired. There is therefore currently no way to verify the integrity of woody packages. I'm not looking for a way to install unverified packages, I'm asking that the packages be re-signed, or at least for an explanation why that is not deemed necessary. Is that too much to ask? Is it that complicated? Am I asking in the wrong place? Regards, Holger
pgp00000.pgp
Description: PGP signature
