On Sat, 2 Feb 2013 23:51:42 -0500 Michael Gilbert <mgilb...@debian.org> wrote: > package: debian-keyring > version: 2012.11.15 > severity: important > > Signature verification currently fails on source packages that were > signed by keys that are no longer present in the active keyrings. > This can easily lead to the incorrect conclusion that those packages > are not to be trusted or possibly malicious. Many packages tend to > remain in the archive far longer than the key used to sign them, so I > think it would make a lot of sense to ship the removed-keys to be ably > to easily verify them into the indefinite future.
I wonder if instead the bug report is with dak, that it should strip signatures from .dsc files (like it strips them from .changes) and instead replace signature with the verified/trusted gpg output at the time (good signature from $UID $KEID $HASH $Algo). Such that .dsc fetched from the archive years later, is only verified via archive key signature of a future time, rather than relying on the .dsc signature to remain trusted. It would also make published .dsc smaller. Basically the same reasoning as to why .deb files are not signed directly. Because one is supposed to have received an already authenticated and verified .dsc after running `apt source`. Regards, Dimitri.
