On Fri, Aug 8, 2014 at 7:52 PM, Cyril Brulebois wrote: >> The archive keyring package is currently signed by Philip Kern's old >> removed key. >> >> Since this package contains the keys to archive, it really needs a >> valid signature. >> >> $ apt-get source debian-archive-keyring --download-only > > Well, surely this is using the apt cache, with Release files and GPG > signatures all over the placeā¦
Release files signed by the keys that were signed by the removed key. It's M.C. Escher painting kind of situation, and I'm being rather pedantic, but then again, it's simply good hygiene. > (Also, I don't see why this particular source package would be special > and would need a specific handling as far as its signature goes.) Other bad sigs in the archive should also get cleaned up. I need do a more complete analysis of bad sigs and also do a -devel MBF discussion. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
