[Pkg-gnupg-maint] Bug#497825: Bug#433091: ignores expiry of archive keys

Peter Palfrader weasel at debian.org
Mon Apr 6 00:12:26 UTC 2009

On Tue, 05 Aug 2008, Thijs Kinkhorst wrote:

> On Tuesday 5 August 2008 20:24, martin f krafft wrote:
> > Sure, we wouldn't want to endanger our release schedule for feature
> > enhancements or Debian's reputation. ;|
> Or put differently, I'd rather spend our time on things that more 
> significantly improve the security a of Debian system, and to be frank I 
> think it's quite speculative that there's actual reputation risk here.

So why the fuck do we ship apt keys with expiration dates anyway, if apt
happily ignores them?

When I create a key and add that to apt's trusted-keys with an
expiration date of foo I fully expect it to not be trusted afterwards.

But heck, I can even create new signatures made after the expiration
date and apt will happily accept any and all Release files signed by
that expired key.

I was shocked when I realized this today, after reading this bug
report I'm dumbfounded that you even consider this acceptable!

still shaking my head,
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

More information about the Pkg-gnupg-maint mailing list