Jeroen van Wolffelaar wrote: > On Sun, Feb 26, 2006 at 01:55:53AM +0100, Andrzej Adam Filip wrote: > >>Gnupg key used to generate Release.gpg of sarge has expired at >>2006-01-31. New Release.gpg should be generated using currecnt gpg key. > > > Thank you for your report. Yes, the signature is old, because Packages > files and such for stable are only generated upon some release. So on > the next point release, which shouldn't take too long anymore, the 2006 > key will be used. > > This is something that also should be thought about for etch, because > with the new apt, this will cause issues for people installing/upgrading > -- to the point that it would most likely simply break netinstalls and > such. So this situation may not repeat itself in etch. > > Anyway, for people who already installed stable, nothing changed, and > the trust in the archive doesn't suddenly decrease just because there > was not a re-assurance that yes, the very same release is still genuine. > This doesn't mean that this shouldn't be fixed of course.
Would it be possible to introduce "multiple signatures" scheme (for stable release) to allow fixing such problems in future releases? e.g. file - file being signed file.gpg - official signature created at release date file.XXXX.gpg - (refreshed?) signature created using key for year XXXX It would be required only for stable releases with stability (period of being maintained) spanning more than lifespan of one signing key. -- [pl2en Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED] http://anfi.homeunix.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
