Hi, Phillip Kern noticed we use the new Wheezy automatic signing key for squeeze-updates, but not for squeeze-security and asked to change the former back to the Squeeze key.
I looked at the archive to see what was done in the past and noticed that the Squeeze key was used to sign the last Lenny point release. Same for etch and etch-security (signed with the Lenny key). However lenny-security was signed with a different key (the Lenny key). So it seems this wasn't handled consistently in the past. There are three options: a, Continue to use the old key for oldstable, i.e. sign all squeeze suites (including -security, -updates) with the "Debian Archive Automatic Signing Key (6.0/squeeze)" key. All other suites would be signed with the current key. b, always use the current key, i.e. sign everything with "Debian Archive Automatic Signing Key (7.0/wheezy)", or c, use the old and current key for oldstable, and only the current key for the rest. For brevity I omitted the transition phase that may use more that one key. I tend towards (a) or (c) as the newer keys are often introduced in a point release and an r0 installer might not trust the newer key (and only "oldstable" itself is signed with the release team's key, -security and other suites are not). Ansgar -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ppqufl5n....@deep-thought.43-1.org
