On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote: > package: debian-keyring > version: 2012.11.15 > severity: important > > Signature verification currently fails on source packages that were > signed by keys that are no longer present in the active keyrings. > This can easily lead to the incorrect conclusion that those packages > are not to be trusted or possibly malicious. Many packages tend to > remain in the archive far longer than the key used to sign them, so I > think it would make a lot of sense to ship the removed-keys to be ably > to easily verify them into the indefinite future.
If we put a key into removed-keys then it indicates we no longer trust it; that could be because we've been told it's revoked, or because we've lost contact with the owner, because it's been compromised or because the owner has transitioned to a stronger key. Shipping removed-keys for the purposes of verification is not appropriate. J. -- ] http://www.earth.li/~noodles/ [] "F**k a duck." -- Walt Disney [ ] PGP/GPG Key @ the.earth.li [] [ ] via keyserver, web or email. [] [ ] RSA: 4096/2DA8B985 [] [ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
