Debian has no good mechanism to revoke apt keys in case of compromise, neither a way to inform users in emergency situations:
An apt key revoker should be written:
And up-streamed to Debian.
- Keyservers may not be used: https://lists.nongnu.org/archive/html/sks-devel/2013-12/msg00076.html
- The code for downloading the revocation certificates should be configurable.
- .d style configuration folder. Where distributions and PPA's can drop configuration snippets. Using arrays.
- Code should be re-usable for Whonix News key revocation as well (using configuration snippet).