also sprach Steve Langasek <[EMAIL PROTECTED]> [2006.01.07.1132 +0100]: > This is inconsistent with Debian's past policies wrt stable releases, > namely, that it should be possible for a user to skip all point releases and > security updates (at the peril of their system's security...) and still be > able to upgrade when a new stable release comes out. This is necessary if > we're to accomodate the many Debian deployments which don't have a reliable > network connection and are only updated when a new stable release is > published. Please keep this use case in mind while designing solutions for > the apt key update problem.
As JoeyH suggests on http://wiki.debian.org/SecureApt, a debian-archive-key package, which contains all keys up until the current one, would do. Then, whenever a new key comes along, a new package is distributed via security.d.o. If we do this, I strongly suggest to move to one-key-per-release cycles. There is no reason to have a new key each January. As a matter of fact, if etch comes out in Decembre 2006, the archive keys it distributes will be usable only for a little more than a month. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver! "never try to explain computers to a layman. it's easier to explain sex to a virgin." -- robert heinlein (note, however, that virgins tend to know a lot about computers.)
signature.asc
Description: Digital signature (GPG/PGP)
