> All Release.gpg files except those from woody have disappeared > from the ftp mirrors last night. The files themselves are still there, but
This was due to the key that was being used for signing being expired, it has now been replaced with a new key the one for 2004, so the newly signed Release files are ok now, this means Sarge and Sid. However the Release files that have not yet been signed again are either not verifiable at all (Release.gpg 0 bytes long), like in the case of woody's security.debian.org updates, or are not trustable acording to apt-check-sigs because the key has expired (like woody's release 2 if you don't trust the old 2003 key), this needs to be fixed yet, otherwise people checking sigs will get things like this: Source: deb http://security.debian.org/ stable/updates main contrib non-free o Origin: Debian/Debian-Security o Suite: stable/woody o Date: Thu, 15 Jan 2004 07:45:20 UTC o Description: Debian 3.0 Security Updates * NO VALID SIGNATURE * PROBLEMS WITH main (NOCHECK, NOCHECK) * PROBLEMS WITH contrib (NOCHECK, NOCHECK) * PROBLEMS WITH non-free (NOCHECK, NOCHECK) Source: deb http://ftp.manty.net/debian stable main non-free contrib o Origin: Debian/Debian o Suite: stable/woody o Date: Thu, 20 Nov 2003 18:57:17 UTC o Description: Debian 3.0r2 Released 20th November 2003 * COULDN'T CHECK SIGNATURE BY KEYID: B629A24C38C6029A * Signed by EXPIRED key: Debian Archive Automatic Signing Key (2003 v2) <[EMAIL PROTECTED]> * NO VALID SIGNATURE * PROBLEMS WITH main (NOCHECK, NOCHECK) * PROBLEMS WITH non-free (NOCHECK, NOCHECK) * PROBLEMS WITH contrib (NOCHECK, NOCHECK) Exactly the same problem happens with non-us, of course one can use the old 2003 key to verify this, but if it was replaced with the 2003 v2 it was because of something, even though nothing was said about it, and this would not solve the problem with security.debian.org updates for woody, where one can see the problem just with looking at the directory: -rw-rw-r-- 1 2349 802 18456 Jan 15 07:45 Release -rw-r--r-- 1 2349 802 0 Jan 15 07:45 Release.gpg Hope this signing thing can be solved soon. Regards... -- Manty/BestiaTester -> http://manty.net
