On Sat, Jun 1, 2013 at 6:48 PM, Jonathan McDowell wrote: > tags 699661 wontfix > thanks > > On Sat, Feb 16, 2013 at 03:11:09PM -0500, Michael Gilbert wrote: >> > Note that signature date is part of the information >> > contained in the gpg signature block. >> >> Rethinking this, I suppose that could be faked with a compromised key. >> >> So, really the trust path would also require checking that that >> package originated from debian, i.e. that the dsc matches the >> information known to a release file that's been signed by one of the >> debian archive keys. >> >> Anyway, done carefully, it could work. > > I think anyone who knows how to be careful enough to ensure they've > followed the trust path correctly can either find the old debian-keyring > package from archive.debian.org, rsync the removed-keys.gpg file from > keyring.debian.org or checkout the bzr tree and get the key from there. > > Marking wontfix; the removed-keys keyring is easily available to those > that need it and I don't think shipping it in the debian-keyring > package is helping most of the userbase.
Well, it would help a certain subset of the userbase that prefers to fetch stuff via the package management system, making it more convenient for those extracting signed sources with now expired keys. It will of course require a bit more information (expiration dates) to actually make that keyring truly useful. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
