On Wed, Oct 08, 2014 at 07:57:14PM +0100, Jonathan Dowland wrote: > Hey, I noticed that the most recent DSA failed signature check for me. > This is because Thijs' signing key had an expiry of 2014-06-16 at some > point. He has more recently edited that forward a year. However, the > version of his key in debian-keyring 2013.04.21 (=wheezy) has the > above expiry. (It's fixed in 2014.08.31=jessie). > > I think it would be a nice-to-have if DSAs were verifyable by the > keyring package shipped in stable. That would imply updating keys in > the stable package to reflect (some) changes post-release. > > Person-power issues aside, what are your opinions on this, please? I'm > aware that you almost certainly lack the cycles to make such updates.
We've had some discussion in the past about putting updates in the -updates suite for stable (and indeed there's a bug, #751480, which I have cc'd), and some discussion about whether we should continue to ship the debian-keyring package. I personally lean a bit towards the removal of the package and saying people should be pulling keys from keyservers, but I understand there are those who like to have a snapshot of the keyring for the release. One of the problems with then updating the keyring as it changes is that keys that may have been valid at release but have been changed are no longer available, so you still run the risk of not being able to verify signatures that are on your system. As a result the bug in question has been marked wontfix. J. -- /-\ | I like my copyright infringements |@/ Debian GNU/Linux Developer | to be patent free. \- | -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
