Adam Cecile <adam.cec...@hitec.lu> writes: > I still thinks it *sucks* to have no alternative then considering > packages signed by an expired key like unsigned packages....
The key is expired, which means its creator no longer claims it as their key. Any signatures found using that key, can no longer be known to be made by the person who nominally owns that key. In other words: Yes, it's inconvenient, but it's because *no one can know* with confidence any more whether that key has been compromised. So that does put it into the same category as “who the hell knows whether this signature is associated with the key owner”. That's just a fact that follows from the finite lifetime of the security of a given key. The longer it's been out there, the larger the window for compromise; and we're now outside the window where the key owner warrants to still be in control of that key. Don't trust whatever signatures you find with that key any more. -- \ “I have had a perfectly wonderful evening, but this wasn't it.” | `\ —Groucho Marx | _o__) | Ben Finney
