On Tue, Feb 04, 2014 at 11:58:56AM +0000, Ian Jackson wrote: > > due to a package in the archive being signed with a key that is no > > longer in the keyring due to having been retired. As far as I can tell > > there is no way to override this so such packages can't be imported into > > dgit hence important severity.
> As you can tell from the error message, the error is detected by > dget. So passing -u to dget will help. You can get dgit to do that > by saying --dget:-u. This is in the FM. So, the main issue here is that for a package downloaded from the archive we already have a trust chain back to the archive and it generally seems wrong that a user can install a package that they can't import into dgit. > I'm going to leave this bug open because I think it would be better if > dgit obtained secure information about the archive's source package > from the archive, instead of or in addition to using the keyring to > verify the source package directly. Indeed - this is the main problem. If dgit were importing something from a source package specified on the command line it'd be more understandable but it's working with the archive and further actively forcing the use of the Debian keyring package.
signature.asc
Description: Digital signature
