[Pkg-zsh-devel] Expired keys in d/upstream/signing-key.asc

[Axel Beckert]

Hi Daniel,

Daniel Shahaf wrote:
> {zsh,z-sy-h}/debian/upstream/signing-key.asc both contain exported
> snapshots of my public key. Those snapshots expired earlier this
> month.

Oops.

> My key hasn't expired; just the snapshots.  I periodically extend my
> key's validity — currently it's valid through next December, published
> in the usual places — but I haven't reëxported it to those files since I
> last extended it.

I like your usage of ë in a non-French language. :-) I usually do this
with "Koffeïn" (the German word for "caffeine" as it is otherwise
ambiguous since "ei" usually has a special pronounciation in German.

> Should I update those exports manually? It seems weird to have to do
> this manually when it's fully automatable (particularly so when the
> public key in question is on keyring.d.o anyway).

Good question. I assume that at least the latter is not a (that)
common case, so it's probably not taken into account so far.

> There doesn't seem to be a lintian check for expired keys in that file,
> nor a wishlist bug for such a check.

But I think there should be one, especially if that's not yet
automated (or automatable) yet.

> I'm not sure whether one should be added, though; that would depend
> on whether upstream keys that have been retired should or shouldn't
> be retained in that file.

Nope, I think expired keys in debian/upstream/signing-key.asc
generally should cause a warning — independent of if the key
expiration date has been extended elsewhere or not.

> (For example, I didn't RM zsh 5.8, but my
> public key was in signing-key.asc in 5.8.)

Good point. We probably should add dana's public key, too.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE