[Pkg-zsh-devel] Expired keys in d/upstream/signing-key.asc
Axel Beckert
abe at debian.org
Sun Jul 12 21:45:48 BST 2020
Hi Daniel,
Daniel Shahaf wrote:
> {zsh,z-sy-h}/debian/upstream/signing-key.asc both contain exported
> snapshots of my public key. Those snapshots expired earlier this
> month.
Oops.
> My key hasn't expired; just the snapshots. I periodically extend my
> key's validity — currently it's valid through next December, published
> in the usual places — but I haven't reëxported it to those files since I
> last extended it.
I like your usage of ë in a non-French language. :-) I usually do this
with "Koffeïn" (the German word for "caffeine" as it is otherwise
ambiguous since "ei" usually has a special pronounciation in German.
> Should I update those exports manually? It seems weird to have to do
> this manually when it's fully automatable (particularly so when the
> public key in question is on keyring.d.o anyway).
Good question. I assume that at least the latter is not a (that)
common case, so it's probably not taken into account so far.
> There doesn't seem to be a lintian check for expired keys in that file,
> nor a wishlist bug for such a check.
But I think there should be one, especially if that's not yet
automated (or automatable) yet.
> I'm not sure whether one should be added, though; that would depend
> on whether upstream keys that have been retired should or shouldn't
> be retained in that file.
Nope, I think expired keys in debian/upstream/signing-key.asc
generally should cause a warning — independent of if the key
expiration date has been extended elsewhere or not.
> (For example, I didn't RM zsh 5.8, but my
> public key was in signing-key.asc in 5.8.)
Good point. We probably should add dana's public key, too.
Regards, Axel
--
,''`. | Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
More information about the Pkg-zsh-devel
mailing list