On Wed, Feb 13, 2013 at 8:18 PM, Jonathan McDowell wrote: > On Sat, Feb 02, 2013 at 11:51:42PM -0500, Michael Gilbert wrote: >> package: debian-keyring >> version: 2012.11.15 >> severity: important >> >> Signature verification currently fails on source packages that were >> signed by keys that are no longer present in the active keyrings. >> This can easily lead to the incorrect conclusion that those packages >> are not to be trusted or possibly malicious. Many packages tend to >> remain in the archive far longer than the key used to sign them, so I >> think it would make a lot of sense to ship the removed-keys to be ably >> to easily verify them into the indefinite future. > > If we put a key into removed-keys then it indicates we no longer trust > it; that could be because we've been told it's revoked, or because we've > lost contact with the owner, because it's been compromised or because > the owner has transitioned to a stronger key. Shipping removed-keys for > the purposes of verification is not appropriate.
Note that even if those keys are considered untrustworthy for any signatures past their removal date, that wasn't the case prior to their removal. That differentiation is key, and can be addressed by also publishing information on removal dates. Then the tools that do package authentication can do a little more work to check the signature was made prior to the keys removal date and reject those that are newer than that date. Note that signature date is part of the information contained in the gpg signature block. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
