[Pkg-gnupg-maint] Bug#497825: Bug#433091: ignores expiry of archive keys
Peter Palfrader
weasel at debian.org
Mon Apr 6 00:12:26 UTC 2009
On Tue, 05 Aug 2008, Thijs Kinkhorst wrote:
> On Tuesday 5 August 2008 20:24, martin f krafft wrote:
> > Sure, we wouldn't want to endanger our release schedule for feature
> > enhancements or Debian's reputation. ;|
>
> Or put differently, I'd rather spend our time on things that more
> significantly improve the security a of Debian system, and to be frank I
> think it's quite speculative that there's actual reputation risk here.
So why the fuck do we ship apt keys with expiration dates anyway, if apt
happily ignores them?
When I create a key and add that to apt's trusted-keys with an
expiration date of foo I fully expect it to not be trusted afterwards.
But heck, I can even create new signatures made after the expiration
date and apt will happily accept any and all Release files signed by
that expired key.
I was shocked when I realized this today, after reading this bug
report I'm dumbfounded that you even consider this acceptable!
still shaking my head,
weasel
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
More information about the Pkg-gnupg-maint
mailing list