"Affected distributions are the Debian unstable branch
(codenamed Sid) as well as the testing branch (codenamed Squeeze).
The current stable version Debian GNU/Linux 5.0 (codenamed Lenny)
and the current oldstable version Debian GNU/Linux 4.0 (codenamed
Etch) will have their ftpmaster signature updated too. The release
managers signature stays untouched. The currently used key will
expire soon. The new key has already been distributed via the
debian-archive-keyring package. For users of the current stable
release Debian GNU/Linux 5.0 (codenamed Lenny) no action is
required from the user side, since Debian GNU/Linux 5.0 (codenamed
Lenny) was already shipped with the new key. Users of the current
oldstable release Debian GNU/Linux 4.0 (codenamed Etch) should
ensure to have upgraded to the latest point release 4.0r8 which
added an upgraded package containing the new key. Users of Debian's
testing branch (codenamed Squeeze) and Debian's unstable branch
(codenamed Sid) should ensure to have at least version 2009.01.31
of the debian-archive-keyring package installed.
"Starting with the next mirror update this evening and for the
next three weeks the archive will be digitally signed by both the
old and the new key. Starting with the 13th of June only the new
key will be used."