On Fri, Aug 29, 2008 at 12:54:40PM +0200, Jeroen van Meeuwen wrote:
Axel Thimm wrote:
> W/o knowing all details, why not move os to os.oldkey and use os as
> the new key's content? If the key is considered compromised what
> mirror admin would like to keep the old signed packages around anyhow?
I think then the problem becomes that every existing installation points
to os/ where it would need os.oldkey/ to get the packages it can check
gpg keys on.
But isn't this desired behaviour? We don't actually want os.oldkey/ to
be used anymore (mid-term) as we need to revoce the key in case it has
been stolen. Maybe we don't need os.*key at all.
E.g. if a key has been stolen, burn all signed stuff and recreate them
with a new key.
Axel.Thimm at ATrpms.net