[[!tag debian keyserver pgp]]

Debian uses PGP keys of its uploading members to authenticate package uploads. The keys are stored in a keyring maintained by the keyring-maint team. The team also maintains a PGP keyserver, and new keys and signatures are uploaded there. The Debian keyserver gets new signatures from other keyservers, but only accepts signatures by keys already in the Debian keyring. New keys are accepted into the keyring manually, after a vetting process of the person. Updates from the Debian keyserver to the Debian keyring happen manually, roughly once a month. Only package uploads signed by keys in the Debian keyring get accepted by the Debian package archive.

The Debian package archive is signed by another key, securely maintained by the Debian FTP team. A copy of the public key is installed on every Debian machine, and updates to the key, as well as new keys, are distributed via package updates. This happens routinely in Debian.

Because of these reasons, Debian seems immune to the current attack on the SKS keyserver network, since Debian isn't getting those signatures, and the Debian package archive and updates to machines running Debian aren't getting the fraudulent signatures either.

(I've checked the above text with the keyring-maint team and they are OK with it.)