Bug#345891: needs update for new archive key
On Fri, Jan 06, 2006 at 02:59:21AM +0100, Adeodato Simó wrote: * Michael Vogt [Thu, 05 Jan 2006 23:27:40 +0100]: but we need a better system for upgrades (see below). Thanks for proposing this. I think the same. My proposal is to create a new debain-server-keyring Can I suggest that it's called debian-archive-keyring (or -keys) instead? debian-server sounds like a debian server, while debian-archive sounds more (at least to me) like the Debian Archive. Thanks everyone for their opinion. I uploaded a new debian-archive-keyring package a couple of minutes ago that will work with apt-key update (and calls it automatically after it was installed). It will also build a udeb (as suggested by Joey Hess, thanks to Colin Watson). About maintainership of this package, I'm happy to maintain it for now, but I'm equally happy to give it away to the ftp-massters. This package solves the problem for scheduled key rollovers (where we sign with both new and old key for a certain time), but it uses the old key to verify the package. This means that it's not suitable against a key compromise of the archive key. How to deal with this scenario needs to be discussed further. Cheers, Michael -- Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345891: needs update for new archive key
Steve Langasek wrote: The ISO images are generated on a different machine from ftp-master, with their own Release files which must be signed by a separate key. The policy for those keys (and for keys used for signing stable in general?) probably needs to be separate from that used on the ftp archive. The CDs arn't signed at all right now, but for all CDs except for full CDs (netinst, businesscard), if the archive key built into the CD is expired, the install will probably fail. -- see shy jo signature.asc Description: Digital signature
Bug#345891: needs update for new archive key
On Tue, Jan 03, 2006 at 11:07:37PM -0500, Joey Hess wrote: Package: apt Version: 0.6.43 Severity: serious Tags: d-i Thanks for your bugreport and sorry for my late reply. apt needs to be updated for this year's archive key which is apparently the one at http://ftp-master.debian.org/ziyi_key_2006.asc The new key is added to my baz repository and it will be part of the next (very soon) upload. I'm tagging this bug d-i because not having the key up-to-date in apt breaks new installations since apt doesn't work, and will begin breaking d-i even worse once the old archive key expires. The updated default key in apt means that new installs will be fine, but we need a better system for upgrades (see below). FWIW, I think that the archive key should be split out into a new package that can be updated more easily than apt, but for now a quick fix is called for. I think the same. My proposal is to create a new debain-server-keyring [1] package that conatins: /usr/share/keyrings/debian-archive-keyring.gpg /usr/share/keyrings/debian-archive-removed-keys.gpg and calls apt-key update in it's postinst. apt-key update will add new keys from debian-archive-keyring.gpg via apt-key add and remove keys in debian-archive-removed-keys.gpg via apt-key del. This way installing/updating the package will ensure that new keys are added as required and obsolete keys can be removed. Because the keys are part of a package and the package is covered with the trust-chain there is no trust-chain violation. If people are happy with my proposal I'll prepare and upload such a package. Cheers, Michael [1] I think we should create a new package and not use debian-keyring because debian-keyring is pretty big. -- Linux is not The Answer. Yes is the answer. Linux is The Question. - Neo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345891: needs update for new archive key
Thanks for following up on this.. Michael Vogt wrote: I think the same. My proposal is to create a new debain-server-keyring [1] package that conatins: /usr/share/keyrings/debian-archive-keyring.gpg /usr/share/keyrings/debian-archive-removed-keys.gpg and calls apt-key update in it's postinst. apt-key update will add new keys from debian-archive-keyring.gpg via apt-key add and remove keys in debian-archive-removed-keys.gpg via apt-key del. This way installing/updating the package will ensure that new keys are added as required and obsolete keys can be removed. Because the keys are part of a package and the package is covered with the trust-chain there is no trust-chain violation. If people are happy with my proposal I'll prepare and upload such a package. Yes, that sounds right to me. The installer also needs a copy of the keyring. Currently we copy this from the keyring shipped in apt at package build time, but it would be much nicer if there were a udeb that only contained the keyring. Once you create this package I can send a patch to also make it produce an appropriate udeb. -- see shy jo signature.asc Description: Digital signature
Bug#345891: needs update for new archive key
* Michael Vogt [Thu, 05 Jan 2006 23:27:40 +0100]: but we need a better system for upgrades (see below). Thanks for proposing this. I think the same. My proposal is to create a new debain-server-keyring Can I suggest that it's called debian-archive-keyring (or -keys) instead? debian-server sounds like a debian server, while debian-archive sounds more (at least to me) like the Debian Archive. Thanks, -- Adeodato Simó dato at net.com.org.es Debian Developer adeodato at debian.org Man: Wow, that woman looks exactly the way Nina is going to look in about ten years... Oh shit, it is Nina. Don't tell her what I said, okay? -- http://www.overheardinnewyork.com/archives/003086.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345891: needs update for new archive key
Hi Further things to consider. Apologies if I these have already been handled. 1. Dec 2006 Etch releases. Jill downloads and burns etch install cd. Jan 2007, old archive key expires, new archive key issued. Jan 2008, old archive key expires, new archive key issued. Mar 2008, Jill tries to install from the cd created in Dec 2006. Will that work? Will that work if all debian-archive-keys were revoked/replaced in mid 2007? 2. security.d.o will (presumably) also be signed. Will that be using the same key? Using separate keys might make updating after a key compromise simpler. (You could use the not-compromised key to sign both package lists temporarily). Andrew PS I also prefer debian-archive-keyring/debian-archive-keys. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345891: needs update for new archive key
On Fri, Jan 06, 2006 at 05:21:04PM +1100, Andrew Vaughan wrote: Hi Further things to consider. Apologies if I these have already been handled. 1. Dec 2006 Etch releases. Jill downloads and burns etch install cd. Jan 2007, old archive key expires, new archive key issued. Jan 2008, old archive key expires, new archive key issued. Mar 2008, Jill tries to install from the cd created in Dec 2006. Will that work? Will that work if all debian-archive-keys were revoked/replaced in mid 2007? The ISO images are generated on a different machine from ftp-master, with their own Release files which must be signed by a separate key. The policy for those keys (and for keys used for signing stable in general?) probably needs to be separate from that used on the ftp archive. Anyway, if by install you mean fresh install, rather than just install some packages from this CD, the keys contained *on* the CD are ultimately trusted (as is the rest of the software on the CD at time of install, basically) at least until the point when you add some external apt source that pulls revocation certificates from the network. So doing an install from the CD should work fine, as long as the CD-signing key has no expiration date or one sufficiently far in the future to cover our worst-case needs for etch, or we provide some override in the CD to allow installing with an ancient signature. Either way, I think ISOs pose much less of a problem for us than ftp apt sources for stable. 2. security.d.o will (presumably) also be signed. Will that be using the same key? I don't see any good reason to use the same key, given that they're on separate systems. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#345891: needs update for new archive key
I think the same. My proposal is to create a new debain-server-keyring [1] package that conatins: /usr/share/keyrings/debian-archive-keyring.gpg /usr/share/keyrings/debian-archive-removed-keys.gpg I add my voice here: this seems fair by me (with the name change suggested by dato). However, this raises an interesting question: who will maintain this package? My feeling is that it should be in the hands of the ftpmaster team. This would give the guarantee of reactivity when updates are due (hopefully once a year). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345891: needs update for new archive key
Package: apt Version: 0.6.43 Severity: serious Tags: d-i apt needs to be updated for this year's archive key which is apparently the one at http://ftp-master.debian.org/ziyi_key_2006.asc I'm tagging this bug d-i because not having the key up-to-date in apt breaks new installations since apt doesn't work, and will begin breaking d-i even worse once the old archive key expires. FWIW, I think that the archive key should be split out into a new package that can be updated more easily than apt, but for now a quick fix is called for. -- see shy jo signature.asc Description: Digital signature
