tags 699661 wontfix thanks On Sat, Feb 16, 2013 at 03:11:09PM -0500, Michael Gilbert wrote: > > Note that signature date is part of the information > > contained in the gpg signature block. > > Rethinking this, I suppose that could be faked with a compromised key. > > So, really the trust path would also require checking that that > package originated from debian, i.e. that the dsc matches the > information known to a release file that's been signed by one of the > debian archive keys. > > Anyway, done carefully, it could work.
I think anyone who knows how to be careful enough to ensure they've followed the trust path correctly can either find the old debian-keyring package from archive.debian.org, rsync the removed-keys.gpg file from keyring.debian.org or checkout the bzr tree and get the key from there. Marking wontfix; the removed-keys keyring is easily available to those that need it and I don't think shipping it in the debian-keyring package is helping most of the userbase. J. -- ] http://www.earth.li/~noodles/ [] 101 things you can't have too much [ ] PGP/GPG Key @ the.earth.li [] of : 53 - Space. [ ] via keyserver, web or email. [] [ ] RSA: 4096/2DA8B985 [] [ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
