[Pkg-zsh-devel] Expired keys in d/upstream/signing-key.asc

Daniel Shahaf d.s at daniel.shahaf.name
Sun Jul 12 20:56:18 BST 2020


{zsh,z-sy-h}/debian/upstream/signing-key.asc both contain exported
snapshots of my public key. Those snapshots expired earlier this month.

My key hasn't expired; just the snapshots.  I periodically extend my
key's validity — currently it's valid through next December, published
in the usual places — but I haven't reëxported it to those files since I
last extended it.

Should I update those exports manually?  It seems weird to have to do
this manually when it's fully automatable (particularly so when the public
key in question is on keyring.d.o anyway).

There doesn't seem to be a lintian check for expired keys in that file,
nor a wishlist bug for such a check.  I'm not sure whether one should be
added, though; that would depend on whether upstream keys that have been
retired should or shouldn't be retained in that file.  (For example,
I didn't RM zsh 5.8, but my public key was in signing-key.asc in 5.8.)

Cheers,

Daniel



More information about the Pkg-zsh-devel mailing list