On Thu, May 04, 2006 at 08:07:45PM -0400, Joey Hess wrote: > Goswin von Brederlow wrote:
>> Having the key in the debian-keyring package was a nice idea but >> ultimatly useless. Sarge users can't fetch the new etch keyring >> package because the signature doesn't match and the signature >> doesn't match because the sarge keyring doesn't have the key. Fun >> fun fun. > FWIW, I consider this issue solved by the debian-archive-keyring, > only issue I know if is that upgrades have to manually upgrade it > before upgrading apt. Why can't we have a master key that signs the yearly keys? After all, we have a long-term unique X.509 master key, so what's the difference with OpenPGP? -- Lionel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
