On Tue, 05 Aug 2008, Thijs Kinkhorst wrote: > On Tuesday 5 August 2008 20:24, martin f krafft wrote: > > Sure, we wouldn't want to endanger our release schedule for feature > > enhancements or Debian's reputation. ;| > > Or put differently, I'd rather spend our time on things that more > significantly improve the security a of Debian system, and to be frank I > think it's quite speculative that there's actual reputation risk here.
So why the fuck do we ship apt keys with expiration dates anyway, if apt happily ignores them? When I create a key and add that to apt's trusted-keys with an expiration date of foo I fully expect it to not be trusted afterwards. But heck, I can even create new signatures made after the expiration date and apt will happily accept any and all Release files signed by that expired key. I was shocked when I realized this today, after reading this bug report I'm dumbfounded that you even consider this acceptable! still shaking my head, weasel -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org