laying groundwork for an eventual migration away from SHA1 with gpg

[Werner Koch]

Hi,

just a short remark on the Debian keys:

Using a 4k RSA key for an automated signing keys or for role purposes is
not a good idea at all: It makes the user believe that the archive is
secure at that level; but that is clearly not the case.  As usual one
need to look at the weakest link and here we can find a lot of them: A
hijacked developers box (Out of 10000 developers there is for sure at
least one folk not protecting his box with all required due diligence),
a ssh key floating around at several places, the upstream sources, the
protection of all the boxes passed while uploading a package and so on.


SCNR,

  Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.